From f1e54bd4024d185d528efe422c99edb7ebeb6a87 Mon Sep 17 00:00:00 2001 From: Natalia Luzuriaga Date: Mon, 25 Aug 2025 16:49:17 -0700 Subject: [PATCH 1/5] Changed gov schema to include usage of JSON 2020-12. Included new SBOM field Signed-off-by: Natalia Luzuriaga --- schemas/schema-2.0.0.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/schemas/schema-2.0.0.json b/schemas/schema-2.0.0.json index a01e16b..73babbd 100644 --- a/schemas/schema-2.0.0.json +++ b/schemas/schema-2.0.0.json @@ -1,5 +1,5 @@ { - "$schema": "http://json-schema.org/draft-04/schema#", + "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "code.json metadata", "description": "A metadata standard for software repositories", "type": "object", @@ -131,7 +131,8 @@ "hg", "svn", "rcs", - "bzr" + "bzr", + "none" ] }, "laborHours": { @@ -175,6 +176,10 @@ "type": "string" } }, + "SBOM": { + "type": "string", + "description": "Link of the upstream repositories and dependencies used, in the form of a Software Bill of Materials/SBOM. If the software does not have a SBOM, enter 'None'. (i.e. Github provides an SBOM: https://github.com/$ORG_NAME/$REPO_NAME/network/dependencies)" + }, "date": { "type": "object", "description": "A date object describing the release", @@ -242,6 +247,7 @@ "languages", "maintenance", "contractNumber", + "SBOM", "date", "tags", "contact", From cce34807ea7570060463a866be12240382959809 Mon Sep 17 00:00:00 2001 From: Natalia Luzuriaga Date: Mon, 25 Aug 2025 16:55:02 -0700 Subject: [PATCH 2/5] Added validation contraints and updated additionalProperties usage Signed-off-by: Natalia Luzuriaga --- schemas/schema-2.0.0.json | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/schemas/schema-2.0.0.json b/schemas/schema-2.0.0.json index 73babbd..3521d50 100644 --- a/schemas/schema-2.0.0.json +++ b/schemas/schema-2.0.0.json @@ -1,5 +1,6 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://dsacms.github.io/code-json-schema.json", "title": "code.json metadata", "description": "A metadata standard for software repositories", "type": "object", @@ -64,7 +65,8 @@ "required": [ "name", "URL" - ] + ], + "additionalProperties": false } }, "usageType": { @@ -89,8 +91,7 @@ "exemptByPolicyDate" ] }, - "description": "A list of enumerated values which describes the usage permissions for the release: (1) openSource: Open source; (2) governmentWideReuse: Government-wide reuse; (3) exemptByNationalSecurity: The source code is primarily for use in national security system as defined in section 11103 of title 40, USC; (4) exemptByNationalIntelligence: The source code is developed by an agency or part of an agency that is an element of the intelligence community, as defined in section 3(4) of the National Security Act of 1947; (5) exemptByFOIA: The source code is exempt under the Freedom of Information Act; (6) exemptByEAR: The source code is exempt under the Export Administration Regulations; (7) exemptByITAR: The source code is exempt under the the International Traffic in Arms Regulations; (8) exemptByTSA: The source code is exempt under the regulations of the Transportation Security Administration relating to the protection of Sensitive Security Information; (9) exemptByClassifiedInformation: The source code is exempt under the Federal laws and regulations governing the sharing of classified information not covered by exemptByNationalSecurity, exemptByNationalIntelligence, exemptbyFOIA, exemptByEAR, exemptByITAR, and exemptByTSA; (10) exemptByPrivacyRisk: The sharing or public accessibility of the source code would create an identifiable risk to the privacy of an individual; (11) exemptByIPRestriction: The sharing of the source code is limited by patent or intellectual property restrictions; (12) exemptByAgencySystem: The sharing of the source code would create an identifiable risk to the stability, security, or integrity of the agency’s systems or personnel; (13) exemptByAgencyMission: The sharing of the source code would create an identifiable risk to agency mission, programs, or operations; (14) exemptByCIO: The CIO believes it is in the national interest to exempt sharing the source code; (15) exemptByPolicyDate: The release was created prior to the M-16-21 policy (August 8, 2016)", - "additionalProperties": false + "description": "A list of enumerated values which describes the usage permissions for the release: (1) openSource: Open source; (2) governmentWideReuse: Government-wide reuse; (3) exemptByNationalSecurity: The source code is primarily for use in national security system as defined in section 11103 of title 40, USC; (4) exemptByNationalIntelligence: The source code is developed by an agency or part of an agency that is an element of the intelligence community, as defined in section 3(4) of the National Security Act of 1947; (5) exemptByFOIA: The source code is exempt under the Freedom of Information Act; (6) exemptByEAR: The source code is exempt under the Export Administration Regulations; (7) exemptByITAR: The source code is exempt under the the International Traffic in Arms Regulations; (8) exemptByTSA: The source code is exempt under the regulations of the Transportation Security Administration relating to the protection of Sensitive Security Information; (9) exemptByClassifiedInformation: The source code is exempt under the Federal laws and regulations governing the sharing of classified information not covered by exemptByNationalSecurity, exemptByNationalIntelligence, exemptbyFOIA, exemptByEAR, exemptByITAR, and exemptByTSA; (10) exemptByPrivacyRisk: The sharing or public accessibility of the source code would create an identifiable risk to the privacy of an individual; (11) exemptByIPRestriction: The sharing of the source code is limited by patent or intellectual property restrictions; (12) exemptByAgencySystem: The sharing of the source code would create an identifiable risk to the stability, security, or integrity of the agency's systems or personnel; (13) exemptByAgencyMission: The sharing of the source code would create an identifiable risk to agency mission, programs, or operations; (14) exemptByCIO: The CIO believes it is in the national interest to exempt sharing the source code; (15) exemptByPolicyDate: The release was created prior to the M-16-21 policy (August 8, 2016)" }, "exemptionText": { "type": [ @@ -137,6 +138,7 @@ }, "laborHours": { "type": "number", + "minimum": 0, "description": "Labor hours invested in the project. Calculated using COCOMO measured by the SCC tool: https://github.com/boyter/scc?tab=readme-ov-file#cocomo" }, "reuseFrequency": { @@ -144,10 +146,12 @@ "description": "Measures frequency of code reuse in various forms. (e.g. forks, downloads, clones)", "properties": { "forks": { - "type": "integer" + "type": "integer", + "minimum": 0 }, "clones": { - "type": "integer" + "type": "integer", + "minimum": 0 } }, "additionalProperties": true @@ -157,7 +161,8 @@ "description": "Programming languages that make up the codebase", "items": { "type": "string" - } + }, + "uniqueItems": true }, "maintenance": { "type": "string", @@ -174,7 +179,8 @@ "description": "Contract number(s) under which the project was developed", "items": { "type": "string" - } + }, + "uniqueItems": true }, "SBOM": { "type": "string", @@ -199,14 +205,16 @@ "format": "date-time", "description": "Date when metadata was last updated" } - } + }, + "additionalProperties": false }, "tags": { "type": "array", "description": "Topics and keywords associated with the project to improve search and discoverability", "items": { "type": "string" - } + }, + "uniqueItems": true }, "contact": { "type": "object", @@ -221,7 +229,8 @@ "type": "string", "description": "Name of the point of contact" } - } + }, + "additionalProperties": false }, "feedbackMechanism": { "type": "string", From 99bf0e76f0baf8a97318d2203e7dfe4fc41f6802 Mon Sep 17 00:00:00 2001 From: Natalia Luzuriaga Date: Mon, 25 Aug 2025 16:56:39 -0700 Subject: [PATCH 3/5] Updated tests Signed-off-by: Natalia Luzuriaga --- .github/workflows/json-schema-tests.yml | 2 +- code.json | 1 + tests/examples/codejson-example-dedupliFHIR.json | 1 + tests/examples/codejson-example-metrics.json | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/json-schema-tests.yml b/.github/workflows/json-schema-tests.yml index 6d65910..be93a49 100644 --- a/.github/workflows/json-schema-tests.yml +++ b/.github/workflows/json-schema-tests.yml @@ -21,7 +21,7 @@ jobs: uses: GrantBirki/json-yaml-validate@v3.3.2 # replace with the latest version with: comment: "true" - json_schema_version: "draft-04" + json_schema_version: "draft-2020-12" schema-tests: runs-on: ubuntu-latest diff --git a/code.json b/code.json index ebd855c..2db1d4f 100644 --- a/code.json +++ b/code.json @@ -37,6 +37,7 @@ ], "maintenance": "community", "contractNumber": [], + "SBOM": "https://github.com/DSACMS/gov-codejson/network/dependencies", "date": { "created": "2025-02-04T21:59:53Z", "lastModified": "2025-08-13T22:27:54Z", diff --git a/tests/examples/codejson-example-dedupliFHIR.json b/tests/examples/codejson-example-dedupliFHIR.json index f7af54b..c995a0f 100644 --- a/tests/examples/codejson-example-dedupliFHIR.json +++ b/tests/examples/codejson-example-dedupliFHIR.json @@ -46,6 +46,7 @@ ], "maintenance": "internal", "contractNumber": [], + "SBOM": "https://github.com/DSACMS/dedupliFHIR/network/dependencies", "date": { "created": "2023-06-22T17:08:19Z", "lastModified": "2025-02-13T18:44:26Z", diff --git a/tests/examples/codejson-example-metrics.json b/tests/examples/codejson-example-metrics.json index 5a448e7..c22f16b 100644 --- a/tests/examples/codejson-example-metrics.json +++ b/tests/examples/codejson-example-metrics.json @@ -43,6 +43,7 @@ ], "maintenance": "internal", "contractNumber": [], + "SBOM": "https://github.com/DSACMS/metrics/network/dependencies", "date": { "created": "2023-07-18T14:10:58Z", "lastModified": "2025-06-01T11:36:12Z", From 57cd0c6fd9daf32963d9dcc0b9f1cc451e812c7e Mon Sep 17 00:00:00 2001 From: Natalia Luzuriaga Date: Mon, 25 Aug 2025 17:32:55 -0700 Subject: [PATCH 4/5] Update CMS schema to reflect gov schema latest changes Signed-off-by: Natalia Luzuriaga --- schemas/cms/schema-0.2.0.json | 59 ++++++++++++++++++++++++----------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/schemas/cms/schema-0.2.0.json b/schemas/cms/schema-0.2.0.json index 9b9e036..06290db 100644 --- a/schemas/cms/schema-0.2.0.json +++ b/schemas/cms/schema-0.2.0.json @@ -1,6 +1,7 @@ { - "$schema": "http://json-schema.org/draft-04/schema#", - "title": "CMS Code.json Metadata", + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://dsacms.github.io/code-json-schema.json", + "title": "CMS code.json metadata", "description": "A metadata standard for software repositories of CMS", "type": "object", "properties": { @@ -70,7 +71,8 @@ "required": [ "name", "URL" - ] + ], + "additionalProperties": false } }, "usageType": { @@ -95,8 +97,7 @@ "exemptByPolicyDate" ] }, - "description": "A list of enumerated values which describes the usage permissions for the release: (1) openSource: Open source; (2) governmentWideReuse: Government-wide reuse; (3) exemptByNationalSecurity: The source code is primarily for use in national security system as defined in section 11103 of title 40, USC; (4) exemptByNationalIntelligence: The source code is developed by an agency or part of an agency that is an element of the intelligence community, as defined in section 3(4) of the National Security Act of 1947; (5) exemptByFOIA: The source code is exempt under the Freedom of Information Act; (6) exemptByEAR: The source code is exempt under the Export Administration Regulations; (7) exemptByITAR: The source code is exempt under the the International Traffic in Arms Regulations; (8) exemptByTSA: The source code is exempt under the regulations of the Transportation Security Administration relating to the protection of Sensitive Security Information; (9) exemptByClassifiedInformation: The source code is exempt under the Federal laws and regulations governing the sharing of classified information not covered by exemptByNationalSecurity, exemptByNationalIntelligence, exemptbyFOIA, exemptByEAR, exemptByITAR, and exemptByTSA; (10) exemptByPrivacyRisk: The sharing or public accessibility of the source code would create an identifiable risk to the privacy of an individual; (11) exemptByIPRestriction: The sharing of the source code is limited by patent or intellectual property restrictions; (12) exemptByAgencySystem: The sharing of the source code would create an identifiable risk to the stability, security, or integrity of the agency’s systems or personnel; (13) exemptByAgencyMission: The sharing of the source code would create an identifiable risk to agency mission, programs, or operations; (14) exemptByCIO: The CIO believes it is in the national interest to exempt sharing the source code; (15) exemptByPolicyDate: The release was created prior to the M-16-21 policy (August 8, 2016)", - "additionalProperties": false + "description": "A list of enumerated values which describes the usage permissions for the release: (1) openSource: Open source; (2) governmentWideReuse: Government-wide reuse; (3) exemptByNationalSecurity: The source code is primarily for use in national security system as defined in section 11103 of title 40, USC; (4) exemptByNationalIntelligence: The source code is developed by an agency or part of an agency that is an element of the intelligence community, as defined in section 3(4) of the National Security Act of 1947; (5) exemptByFOIA: The source code is exempt under the Freedom of Information Act; (6) exemptByEAR: The source code is exempt under the Export Administration Regulations; (7) exemptByITAR: The source code is exempt under the the International Traffic in Arms Regulations; (8) exemptByTSA: The source code is exempt under the regulations of the Transportation Security Administration relating to the protection of Sensitive Security Information; (9) exemptByClassifiedInformation: The source code is exempt under the Federal laws and regulations governing the sharing of classified information not covered by exemptByNationalSecurity, exemptByNationalIntelligence, exemptbyFOIA, exemptByEAR, exemptByITAR, and exemptByTSA; (10) exemptByPrivacyRisk: The sharing or public accessibility of the source code would create an identifiable risk to the privacy of an individual; (11) exemptByIPRestriction: The sharing of the source code is limited by patent or intellectual property restrictions; (12) exemptByAgencySystem: The sharing of the source code would create an identifiable risk to the stability, security, or integrity of the agency's systems or personnel; (13) exemptByAgencyMission: The sharing of the source code would create an identifiable risk to agency mission, programs, or operations; (14) exemptByCIO: The CIO believes it is in the national interest to exempt sharing the source code; (15) exemptByPolicyDate: The release was created prior to the M-16-21 policy (August 8, 2016)" }, "exemptionText": { "type": [ @@ -157,11 +158,13 @@ "hg", "svn", "rcs", - "bzr" + "bzr", + "none" ] }, "laborHours": { "type": "number", + "minimum": 0, "description": "Labor hours invested in the project. Calculated using COCOMO measured by the SCC tool: https://github.com/boyter/scc?tab=readme-ov-file#cocomo" }, "reuseFrequency": { @@ -169,10 +172,12 @@ "description": "Measures frequency of code reuse in various forms. (e.g. forks, downloads, clones)", "properties": { "forks": { - "type": "integer" + "type": "integer", + "minimum": 0 }, "clones": { - "type": "integer" + "type": "integer", + "minimum": 0 } }, "additionalProperties": true @@ -191,14 +196,16 @@ "android", "other" ] - } + }, + "uniqueItems": true }, "categories": { "type": "array", "description": "Categories the project belongs to. Select from: https://yml.publiccode.tools/categories-list.html", "items": { "type": "string" - } + }, + "uniqueItems": true }, "softwareType": { "type": "string", @@ -220,7 +227,8 @@ "description": "Programming languages that make up the codebase", "items": { "type": "string" - } + }, + "uniqueItems": true }, "maintenance": { "type": "string", @@ -237,7 +245,12 @@ "description": "Contract number(s) under which the project was developed", "items": { "type": "string" - } + }, + "uniqueItems": true + }, + "SBOM": { + "type": "string", + "description": "Link of the upstream repositories and dependencies used, in the form of a Software Bill of Materials/SBOM. If the software does not have a SBOM, enter 'None'. (i.e. Github provides an SBOM: https://github.com/$ORG_NAME/$REPO_NAME/network/dependencies)" }, "date": { "type": "object", @@ -258,14 +271,16 @@ "format": "date-time", "description": "Date when metadata was last updated" } - } + }, + "additionalProperties": false }, "tags": { "type": "array", "description": "Topics and keywords associated with the project to improve search and discoverability", "items": { "type": "string" - } + }, + "uniqueItems": true }, "contact": { "type": "object", @@ -280,7 +295,8 @@ "type": "string", "description": "Name of the point of contact" } - } + }, + "additionalProperties": false }, "feedbackMechanism": { "type": "string", @@ -331,14 +347,16 @@ "description": "Project(s) that is associated or related to the repository, if any (e.g. Bluebutton, MPSM)", "items": { "type": "string" - } + }, + "uniqueItems": true }, "systems": { "type": "array", "description": "CMS systems that the repository interfaces with or depends on, if any (e.g. IDR, PECOS)", "items": { "type": "string" - } + }, + "uniqueItems": true }, "upstream": { "type": "string", @@ -355,7 +373,8 @@ "medicaid" ] }, - "description": "Healthcare-related subset" + "description": "Healthcare-related subset", + "uniqueItems": true }, "userType": { "type": "array", @@ -367,7 +386,8 @@ "government" ] }, - "description": "Types of users who interact with the software" + "description": "Types of users who interact with the software", + "uniqueItems": true }, "maturityModelTier": { "type": "integer", @@ -400,6 +420,7 @@ "languages", "maintenance", "contractNumber", + "SBOM", "date", "tags", "contact", From 65073060d5bf2462a6913d9bc4c5b5f6e88ece45 Mon Sep 17 00:00:00 2001 From: Natalia Luzuriaga Date: Mon, 25 Aug 2025 17:36:09 -0700 Subject: [PATCH 5/5] Removed upstream field from CMS schema Signed-off-by: Natalia Luzuriaga --- code.json | 1 - schemas/cms/schema-0.2.0.json | 4 ---- tests/examples/codejson-example-dedupliFHIR.json | 1 - tests/examples/codejson-example-metrics.json | 1 - 4 files changed, 7 deletions(-) diff --git a/code.json b/code.json index 2db1d4f..8b6b858 100644 --- a/code.json +++ b/code.json @@ -70,7 +70,6 @@ "SHARE IT Act" ], "systems": [], - "upstream": "https://github.com/DSACMS/gov-codejson/network/dependencies", "subsetInHealthcare": [ "operational" ], diff --git a/schemas/cms/schema-0.2.0.json b/schemas/cms/schema-0.2.0.json index 06290db..ba9cf2d 100644 --- a/schemas/cms/schema-0.2.0.json +++ b/schemas/cms/schema-0.2.0.json @@ -358,10 +358,6 @@ }, "uniqueItems": true }, - "upstream": { - "type": "string", - "description": "Link of the upstream repositories and dependencies used, in the form of a Software Bill of Materials/SBOM (https://github.com/$ORG_NAME/$REPO_NAME/network/dependencies)" - }, "subsetInHealthcare": { "type": "array", "items": { diff --git a/tests/examples/codejson-example-dedupliFHIR.json b/tests/examples/codejson-example-dedupliFHIR.json index c995a0f..1d7afac 100644 --- a/tests/examples/codejson-example-dedupliFHIR.json +++ b/tests/examples/codejson-example-dedupliFHIR.json @@ -73,7 +73,6 @@ "group": "CMS/OA/DSAC", "projects": [], "systems": [], - "upstream": "https://github.com/DSACMS/dedupliFHIR/network/dependencies", "subsetInHealthcare": [ "operational" ], diff --git a/tests/examples/codejson-example-metrics.json b/tests/examples/codejson-example-metrics.json index c22f16b..ea08875 100644 --- a/tests/examples/codejson-example-metrics.json +++ b/tests/examples/codejson-example-metrics.json @@ -68,7 +68,6 @@ "group": "CMS/OA/DSAC", "projects": [], "systems": [], - "upstream": "https://github.com/DSACMS/metrics/network/dependencies", "subsetInHealthcare": [ "operational" ],