├── .github
    ├── CODEOWNERS
    └── workflows
    │   └── test-generate-api-clients.yaml
├── .gitignore
├── LICENSE
├── NOTICE
├── README.md
├── api-flow
    ├── consumer.md
    └── publisher.md
├── api
    └── bomexchangeapi.md
├── auth
    └── readme.md
├── contributors.md
├── discovery
    └── readme.md
├── doc
    ├── tea-requirements.md
    └── tea-usecases.md
├── images
    ├── Project-Koala.svg
    ├── tealogo-big.png
    ├── tealogo-on-black.png
    └── tealogo.png
├── out
    └── .gitkeep
├── presentations
    ├── koalacon2024
    │   ├── 00-welcome.pdf
    │   ├── 01-introduction-overview.pdf
    │   ├── 02-tea-data-model.pdf
    │   ├── 03-dependency-track.pdf
    │   ├── 04-tea-sbomify.pdf
    │   └── 05-tea-and-java.pdf
    ├── oej
    │   ├── koala-beta-one-cisa-sbom-community.pdf
    │   ├── koala-tea-intro-normal-format.pdf
    │   ├── koala-tea-intro-sbomarama.pdf
    │   ├── koala-transparency-exchange.pdf
    │   ├── tea-collection.key.pdf
    │   └── tea-publish.pdf
    └── steve.springett
    │   ├── Ecma TC54 + CycloneDX Brief (June 2024).pdf
    │   └── Transparency Exchange API Kickoff.pdf
├── signatures
    └── signature.md
├── spec
    ├── README.md
    ├── generators
    │   ├── common.yaml
    │   ├── go.yaml
    │   ├── java-webclient.yaml
    │   ├── python.yaml
    │   ├── typescript.yaml
    │   └── update-pom.sh
    ├── openapi.yaml
    └── publisher
    │   ├── README.md
    │   └── openapi.json
├── tea-artifact
    └── tea-artifact.md
├── tea-collection
    └── tea-collection.md
├── tea-component
    └── tea-component.md
└── tea-product
    └── tea-product.md


/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | # see https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
2 | 
3 | * @oej @madpah
4 | 


--------------------------------------------------------------------------------
/.github/workflows/test-generate-api-clients.yaml:
--------------------------------------------------------------------------------
  1 | name: Build & Test Generated API Clients
  2 | 
  3 | on:
  4 |     push:
  5 |         branches: ['main']
  6 |     workflow_dispatch:
  7 | 
  8 | concurrency:
  9 |     group: ${{ github.workflow }}-${{ github.ref }}
 10 |     cancel-in-progress: true
 11 | 
 12 | env:
 13 |     OPEN_API_GENERATOR_VERSION: 'v7.12.0'
 14 |     PYTHON_VERSION_DEFAULT: '3.12'
 15 |     POETRY_VERSION: '1.8.1'
 16 | 
 17 | jobs:
 18 |     generate-library-code:
 19 |         name: Generate Library Code ${{ matrix.language }}
 20 |         runs-on: ubuntu-latest
 21 |         strategy:
 22 |             matrix:
 23 |                 language: ['go', 'java-webclient', 'python', 'typescript']
 24 |         steps:
 25 |             - name: Checkout
 26 |               # see https://github.com/actions/checkout
 27 |               uses: actions/checkout@v4
 28 | 
 29 |             - name: Create Output Directory
 30 |               run: mkdir out/${{ matrix.language }}
 31 | 
 32 |             - name: Run OpenAPI Generator
 33 |               uses: addnab/docker-run-action@v3
 34 |               with:
 35 |                   image: openapitools/openapi-generator-cli:${{ env.OPEN_API_GENERATOR_VERSION }}
 36 |                   options: -v ${{ github.workspace }}:/local
 37 |                   run: /usr/local/bin/docker-entrypoint.sh batch --clean /local/spec/generators/${{ matrix.language }}.yaml
 38 | 
 39 |             - name: Copy our scripts across too
 40 |               run: cp spec/generators/*.sh ./out/${{ matrix.language }}
 41 | 
 42 |             - name: Save to Cache
 43 |               uses: actions/cache/save@v4
 44 |               with:
 45 |                   path: out/${{ matrix.language }}
 46 |                   key: '${{ matrix.language }}-${{ github.run_id }}'
 47 | 
 48 |     validate-go:
 49 |         name: Validate Go Library
 50 |         runs-on: ubuntu-latest
 51 |         needs: generate-library-code
 52 | 
 53 |         steps:
 54 |             - name: Setup Go
 55 |               uses: actions/setup-go@v5
 56 |               with:
 57 |                   go-version: 1.22
 58 | 
 59 |             - name: Get generated code from cache
 60 |               uses: actions/cache/restore@v4
 61 |               with:
 62 |                   path: out/go
 63 |                   key: 'go-${{ github.run_id }}'
 64 |                   fail-on-cache-miss: true
 65 | 
 66 |             - name: Build Go API Client
 67 |               run: go build -v ./
 68 |               working-directory: out/go
 69 | 
 70 |             - name: Install test dependencies & run generated tests
 71 |               run: |
 72 |                   go get github.com/stretchr/testify/assert
 73 |                   go test -v ./test/
 74 |               working-directory: out/go
 75 | 
 76 |     validate-java-webclient:
 77 |         name: Validate Java Webclient
 78 |         runs-on: ubuntu-latest
 79 |         needs: generate-library-code
 80 | 
 81 |         steps:
 82 |             - name: Set up JDK 17 for x64
 83 |               uses: actions/setup-java@v4
 84 |               with:
 85 |                 java-version: '17'
 86 |                 distribution: 'temurin'
 87 |                 architecture: x64
 88 | 
 89 |             - name: Set up Maven
 90 |               uses: stCarolas/setup-maven@v5
 91 |               with:
 92 |                 maven-version: 3.9.4
 93 | 
 94 |             - name: Get generated code from cache
 95 |               uses: actions/cache/restore@v4
 96 |               with:
 97 |                   path: out/java-webclient
 98 |                   key: 'java-webclient-${{ github.run_id }}'
 99 |                   fail-on-cache-miss: true
100 | 
101 |             - name: Build & Test Java Webclient API Client
102 |               run: |
103 |                 ./update-pom.sh pom.xml
104 |                 mvn clean test
105 |               working-directory: out/java-webclient
106 | 
107 |     validate-python:
108 |         name: Validate Python Library
109 |         runs-on: ubuntu-latest
110 |         needs: generate-library-code
111 | 
112 |         steps:
113 |             - name: Set up Python
114 |               uses: actions/setup-python@v5
115 |               with:
116 |                   python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
117 | 
118 |             - name: Install poetry
119 |               # see https://github.com/marketplace/actions/setup-poetry
120 |               uses: Gr1N/setup-poetry@v9
121 |               with:
122 |                   poetry-version: ${{ env.POETRY_VERSION }}
123 | 
124 |             - name: Get generated code from cache
125 |               uses: actions/cache/restore@v4
126 |               with:
127 |                   path: out/python
128 |                   key: 'python-${{ github.run_id }}'
129 |                   fail-on-cache-miss: true
130 |                   
131 |             - name: Install dependencies
132 |               run: poetry install --no-root
133 |               working-directory: out/python
134 | 
135 |             - name: Ensure build successful
136 |               run: poetry build
137 |               working-directory: out/python
138 | 
139 |             - name: Run Tests
140 |               run: |
141 |                   pip install -r test-requirements.txt
142 |                   poetry run pytest
143 |               working-directory: out/python
144 | 
145 |     validate-typescript:
146 |         name: Validate Typescript Library
147 |         runs-on: ubuntu-latest
148 |         needs: generate-library-code
149 | 
150 |         steps:
151 |             - name: Setup Node
152 |               uses: actions/setup-node@v4
153 |               with:
154 |                   node-version: latest
155 | 
156 |             - name: Get generated code from cache
157 |               uses: actions/cache/restore@v4
158 |               with:
159 |                   path: out/typescript
160 |                   key: 'typescript-${{ github.run_id }}'
161 |                   fail-on-cache-miss: true
162 |                   
163 |             - name: Build Typescript API Client
164 |               run: npm i && npm run build
165 |               working-directory: out/typescript


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .idea/
2 | out/*
3 | .DS_Store
4 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "{}"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright OWASP Foundation
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/NOTICE:
--------------------------------------------------------------------------------
1 | CycloneDX BOM Exchange API Standard
2 | Copyright (c) OWASP Foundation
3 | 
4 | This product includes software developed by the
5 | CycloneDX community (https://cyclonedx.org/).
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | [![License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)](LICENSE)
  2 | [![Website](https://img.shields.io/badge/https://-cyclonedx.org-blue.svg)](https://cyclonedx.org/)
  3 | [![Slack Invite](https://img.shields.io/badge/Slack-Join-blue?logo=slack&labelColor=393939)](https://cyclonedx.org/slack/invite)
  4 | [![Group Discussion](https://img.shields.io/badge/discussion-groups.io-blue.svg)](https://groups.io/g/CycloneDX)
  5 | [![Twitter](https://img.shields.io/twitter/url/http/shields.io.svg?style=social&label=Follow)](https://twitter.com/CycloneDX_Spec)
  6 | [![ECMA TC54](https://img.shields.io/badge/ECMA-TC54-FC7C00?labelColor=404040)](https://tc54.org)
  7 | [![ECMA TC54](https://img.shields.io/badge/ECMA-TC54--TG1-FC7C00?labelColor=404040)](https://ecma-international.org/task-groups/tc54-tg1/)
  8 | 
  9 | # CycloneDX Transparency Exchange API Standard
 10 | 
 11 | The Transparency Exchange API (TEA) is being worked on within the CycloneDX community
 12 | with the goal to standardise the API in ECMA. A working group within ECMA TC54 has been
 13 | formed - TC54 TG1. The working group has a slack channel in the CycloneDX slack space.
 14 | 
 15 | ![](images/tealogo.png)
 16 | 
 17 | ## Status of the standard: Beta 1
 18 | 
 19 | TEA is now in beta 1. This beta focuses on the consumer side of the API. Work on the
 20 | publisher API will start after the beta. The idea is to get implementation feedback
 21 | early on the current specification in order to move forward towards a first official
 22 | version of the standard. Feedback will be gathered in the Hackathon at OWASP AppSec
 23 | Global in Barcelona May 28 as well as in the meetings and slack channel.
 24 | 
 25 | We encourage developers to start with both client and server implementations of TEA and
 26 | participate in interoperability tests. These will be organised both as hackathons and
 27 | informally using the Slack channel.
 28 | 
 29 | There will likely be multiple beta releases. We will announce these by adding new
 30 | tags in the repository as well as in the slack channel.
 31 | 
 32 | ## Introduction
 33 | 
 34 | This specification defines a standard, format agnostic, API for the exchange of
 35 | product related artefacts, like BOMs, between systems. The work includes:
 36 | 
 37 | - [Discovery of servers](/discovery/readme.md): Describes discovery using the Transparency Exchange Identifier (TEI)
 38 | - Retrieval of artefacts
 39 | - Publication of artefacts
 40 | - Authentication and authorization
 41 | - Querying
 42 | 
 43 | System and tooling implementors are encouraged to adopt this API standard for
 44 | sending/receiving transparency artefacts between systems. 
 45 | This will enable more widespread
 46 | "out of the box" integration support in the BOM ecosystem.
 47 | 
 48 | ## Use cases and requirements
 49 | 
 50 | The working group has produced a list of use cases and requirements for the protocol.
 51 | 
 52 | - [TEA requirements](doc/tea-requirements.md)
 53 | - [TEA use cases](doc/tea-usecases.md)
 54 | 
 55 | ## Data model
 56 | 
 57 | - [TEA Product](tea-product/tea-product): This is the starting point. A "product" is something for sale or distributed as an Open Source project. The [Transparency Exchange Identifier, TEI](/discovery/readme.md) points to a single product.
 58 | - [TEA Component index](tea-component/tea-component.md): A Component index is a version entry. The Component version index has one entry per version of the product.
 59 | - [TEA Collection](tea-collection/tea-collection.md): The collection is a list of artefacts for a specific version. The collection can be dynamic or static, depending on the implemenation.
 60 | 
 61 | ## Artefacts available of the API
 62 | 
 63 | The Transparency Exchange API (TEA) supports publication and retrieval of a set of transparency exchange artefacts. The API itself should not be restricting the types of the artefacts. A few examples:
 64 | 
 65 | ### xBOM
 66 | 
 67 | Bill of materials for any type of component and service are supported. This includes, but is not limited to, SBOM, HBOM, AI/ML-BOM, SaaSBOM, and CBOM. The API provides a BOM format agnostic way of publishing, searching, and retrieval of xBOM artifacts. 
 68 | 
 69 | ### CDXA
 70 | 
 71 | Standards and requirements along with attestations to those standards and requirements are captured and supported by CycloneDX Attestations (CDXA). Much like xBOM, these are supply chain artifacts that are captured allowing for consistent publishing, searching, and retrieval.
 72 | 
 73 | ### VDR/VEX
 74 | 
 75 | Vulnerability Disclosure Reports (VDR) and Vulnerability Exploitability eXchange (VEX) are supported artifact types. Like the xBOM element, the VDR/VEX support is format agnostic. However, CSAF has its own distribution requirements that may not be compatible with APIs. Therefore, the initial focus will be on CycloneDX (VDR and VEX) and OpenVEX.
 76 | 
 77 | ### CLE
 78 | 
 79 | Product lifecycle events that are captured and communicated through the Common Lifecycle Enumeration will be supported. This includes product rebranding, repackaging, mergers and acquisitions, and product milestone events such as end-of-life and end-of-support.
 80 | 
 81 | ### Insights
 82 | 
 83 | Much of the focus on Software Transparency from the U.S. Government and others center around the concept of “full transparency”. Consumers often need to ingest, process, and analyze SBOMs or VEXs just to be able to answer simple questions such as:
 84 | 
 85 | - Do any of my licensed products from Vendor A use Apache Struts?
 86 | - Are any of my licensed products from Vendor A vulnerable to log4shell and is there any action I need to take?
 87 | 
 88 | Insights allows for “limited transparency” that can be asked and answered using an expression language that can be tightly scoped or outcome-driven. Insights also removes the complexities of BOM format conversion away from the consumers. An object model derived from CycloneDX will be an integral part of this API, since the objects within CycloneDX are self-contained (thus API friendly) and the specification supports all the necessary xBOM types along with CDXA.
 89 | 
 90 | ## Presentations and videos
 91 | 
 92 | - You can find presentations in the repository in the [Presentations](/presentations) directory
 93 | - Our biweekly meetings are available on [YouTube playlist: Project Koala](https://www.youtube.com/playlist?list=PLqjEqUxHjy1XtSzGYL7Dj_WJbiLu_ty58)
 94 | - KoalaCon 2024 - an introduction to the project - can be [viewed on YouTube](https://youtu.be/NStzYW4WnEE?si=ihLirpGVjHc7K4bL)
 95 | 
 96 | ## Contributors
 97 | 
 98 | Contributors are listed in the [Contributors](contributors.md) file.
 99 | 
100 | ## Terminology
101 | 
102 | - API: Application programming interface
103 | - Authorization (authz):
104 | - Authentication (authn):
105 | - Collection: A set of artifacts representing a version of a product
106 | - Product: An item sold or delivered under one name
107 | - Product variant: A variant of a product
108 | - Version:
109 | 
110 | ![](images/Project-Koala.svg)
111 | 
112 | ## Previous work
113 | 
114 | - [The CycloneDX BOM Exchange API](/api/bomexchangeapi.md)
115 |    Implemented in the [CycloneDX BOM Repo Server](https://github.com/CycloneDX/cyclonedx-bom-repo-server)
116 | 


--------------------------------------------------------------------------------
/api-flow/consumer.md:
--------------------------------------------------------------------------------
  1 | # Transparency Exchange API: Consumer access
  2 | 
  3 | 
  4 | The consumer access starts with a TEI, A transparency Exchange Identifier. This is used to find the API server as
  5 | described in the [discovery document](/discovery/readme.md).
  6 | 
  7 | ## API usage
  8 | 
  9 | The standard TEI points to a product. A product is something sold, downloaded as an opensource project or aquired
 10 | by other means. It contains one or multiple components.
 11 | 
 12 | - __List of TEA Components__: Components are components of something that is part of a product.
 13 |   Each Component has it's own versioning and it's own set of artifacts.
 14 | - __List of TEA Releases__: Each component has a list of releases where each release has a timestamp and
 15 |   a lifecycle enumeration. They are normally sorted by timestamps. The TEA API has no requirements of
 16 | type of version string (semantic or any other scheme) - it's just an identifier set by the manufacturer.
 17 | - __List of TEA Collections__: For each release, there is a list of TEA collections as indicated
 18 |   by release date and a version integer starting with collection version 1. 
 19 | - __List of TEA Artifacts__: The collection is unique for a version and contains a list of artifacts.
 20 |   This can be SBOM files, VEX, SCITT, IN-TOTO or other documents.  Note that a single artifact
 21 |   can belong to multiple versionsof a Component and multiple Components.
 22 | - __List of artifact formats__: An artifact can be published in multiple formats.
 23 | 
 24 | The user has to know product TEI and version of each component (TEA Component) to find the list of
 25 | artifacts for the used version.
 26 | 
 27 | ## API flow based on TEI discovery
 28 | 
 29 | ```mermaid
 30 | 
 31 | ---
 32 | title: TEA consumer
 33 | ---
 34 | 
 35 | sequenceDiagram
 36 |     autonumber
 37 |     actor user
 38 |     participant discovery as TEA Discovery with TEI
 39 | 
 40 |     participant tea_product as TEA Product
 41 |     participant tea_component as TEA Component
 42 |     participant tea_release as TEA Release
 43 |     participant tea_collection as TEA Collection
 44 |     participant tea_artifact as TEA Artefact
 45 | 
 46 | 
 47 |     user ->> discovery: Discovery using DNS
 48 |     discovery ->> user: List of API servers
 49 | 
 50 |     user ->> tea_product: Finding all product parts (TEA Components) and facts about the product
 51 |     tea_product ->> user: List of product parts
 52 | 
 53 |     user ->> tea_component: Finding information of a component
 54 |     tea_component ->> user: List of component metadata
 55 | 
 56 |     user ->> tea_release: Finding a specific version/release
 57 |     tea_release ->> user: List of releases and collection id for each release
 58 | 
 59 |     user ->> tea_collection: Finding all artefacts for version in scope
 60 |     tea_collection ->> user: List of artefacts and formats available for each artefact
 61 | 
 62 |     user ->> tea_artifact: Request to download artifact
 63 |     tea_artifact ->> user: Artifact
 64 | 
 65 | 
 66 | 
 67 | ```
 68 | 
 69 | ## API flow based on direct access to API
 70 | 
 71 | In this case, the client wants to search for a specific product using the API
 72 | 
 73 | ```mermaid
 74 | 
 75 | ---
 76 | title: TEA client flow with search
 77 | ---
 78 | 
 79 | sequenceDiagram
 80 |     autonumber
 81 |     actor user
 82 | 
 83 |     participant tea_product as TEA Product
 84 |     participant tea_component as TEA Component
 85 |     participant tea_release as TEA Release
 86 |     participant tea_collection as TEA Collection
 87 |     participant tea_artifact as TEA Artefact
 88 | 
 89 | 
 90 |     user ->> tea_product: Search for product based on identifier (CPE, PURL, name)
 91 |     tea_product ->> user: List of products
 92 | 
 93 |     user ->> tea_product: Finding all product parts (TEA Components) and facts about choosen product
 94 |     tea_product ->> user: List of product parts
 95 | 
 96 |     user ->> tea_component: Finding information of a component
 97 |     tea_component ->> user: List of component metadata
 98 | 
 99 |     user ->> tea_release: Finding a specific version/release
100 |     tea_release ->> user: List of releases and collection id for each release
101 | 
102 |     user ->> tea_collection: Finding all artefacts for version in scope
103 |     tea_collection ->> user: List of artefacts and formats available for each artefact
104 | 
105 |     user ->> tea_artifact: Request to download artifact
106 |     tea_artifact ->> user: Artifact
107 | 
108 | ```
109 | 
110 | ## API flow based on cached data - checking for a new release
111 | 
112 | In this case a TEA client knows the component UUID and wants to check the status of the
113 | used release and if there's a new release. The client may limit the query with a given date
114 | for a release.
115 | 
116 | ```mermaid
117 | 
118 | ---
119 | title: TEA client flow with direct query for release
120 | ---
121 | 
122 | sequenceDiagram
123 |     autonumber
124 |     actor user
125 | 
126 |     participant tea_product as TEA Product
127 |     participant tea_component as TEA Component
128 |     participant tea_release as TEA Release
129 |     participant tea_collection as TEA Collection
130 |     participant tea_artifact as TEA Artefact
131 | 
132 |     user ->> tea_release: Finding a specific version/release
133 |     tea_release ->> user: List of releases and collection id for each release
134 | 
135 | ```
136 | 
137 | ## API flow based on cached data  - checking if a collection changed
138 | 
139 | In this case a TEA client knows the release UUID, the collection UUID, and the
140 | collection version from previous queries. If the given version is not the same,
141 | another query is done to get reason for update and new collection list of artifacts.
142 | 
143 | 
144 | ```mermaid
145 | 
146 | ---
147 | title: TEA client collection query
148 | ---
149 | 
150 | sequenceDiagram
151 |     autonumber
152 |     actor user
153 | 
154 |     participant tea_product as TEA Product
155 |     participant tea_component as TEA Component
156 |     participant tea_release as TEA Release
157 |     participant tea_collection as TEA Collection
158 |     participant tea_artifact as TEA Artefact
159 | 
160 | 
161 |     user ->> tea_collection: Finding the current collection, including version
162 |     tea_collection ->> user: List of artefacts and formats available for each artefact
163 | 
164 |     user ->> tea_collection: Request to access previous version of the collection to compare
165 |     tea_collection ->> user: Previous version of collection
166 | 
167 | ```


--------------------------------------------------------------------------------
/api-flow/publisher.md:
--------------------------------------------------------------------------------
 1 | # Overview of the TEA API from a producer standpoint
 2 | 
 3 | This is input for the working group.
 4 | 
 5 | ## Bootstrapping
 6 | 
 7 | ```mermaid
 8 | 
 9 | sequenceDiagram
10 |     autonumber
11 |     actor Vendor
12 |     participant tea_product as TEA Product
13 |     participant tea_component as TEA Component
14 |     participant tea_collection as TEA Collection
15 | 
16 |     Vendor ->> tea_product: POST to /v1/product to create new product
17 |     tea_product -->> Vendor: Product is created and TEA Product Identifier (PI) returned
18 | 
19 |     Vendor ->> tea_component: POST to /v1/component with the TEA PI and component version as the payload
20 |     tea_component ->> Vendor: Component is created and a TEA Component ID is returned
21 | 
22 |     Vendor ->> tea_collection: POST to /v1/collection with the TEA Component ID as the and the artifact as payload
23 |     tea_collection ->> Vendor: Collection is created with the collection ID returned
24 | 
25 | ```
26 | 
27 | ## Release life cycle
28 | 
29 | ```mermaid
30 | sequenceDiagram
31 |     autonumber
32 |     actor Vendor
33 |     participant tea_product as TEA Product
34 |     participant tea_component as TEA Component
35 |     participant tea_collection as TEA Collection
36 | 
37 |     Note over Vendor,tea_component: Create new release
38 | 
39 |     Vendor ->> tea_component: POST to /v1/component with the TEA PI and component version as the payload
40 |     tea_component ->> Vendor: Component is created and a TEA Component ID is returned
41 | 
42 |     Note over Vendor,TEA Component: Add an artifact (e.g. SBOM)
43 |     Vendor ->> tea_collection: POST to /v1/collection with the TEA Component ID as the and the artifact as payload
44 |     tea_collection ->> Vendor: Collection is created with the collection ID returned
45 | 
46 | ```
47 | 
48 | ## Adding a new artifact
49 | 
50 | ```mermaid
51 | sequenceDiagram
52 |     autonumber
53 |     actor Vendor
54 |     participant tea_product as TEA Product
55 |     participant tea_component as TEA Component
56 |     participant tea_collection as TEA Collection
57 | 
58 |     Vendor ->> tea_component: GET to /v1/component with the TEA PI to get the latest version
59 |     tea_component ->> Vendor: Component will be returned
60 | 
61 |     Vendor ->> tea_collection: POST to /v1/collection with the TEA Component ID as the and the artifact as payload
62 |     tea_collection ->> Vendor: Collection is created with the collection ID returned
63 | ```


--------------------------------------------------------------------------------
/api/bomexchangeapi.md:
--------------------------------------------------------------------------------
  1 | # CycloneDX BOM exchange API
  2 | 
  3 | __Note:__ this is an older version of the API not being worked on any more. This work
  4 | will be replaced by the Transparency Exchange API.
  5 | 
  6 | ## Conventions
  7 | 
  8 | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
  9 | "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
 10 | interpreted as described in [RFC2119](http://www.ietf.org/rfc/rfc2119.txt).
 11 | 
 12 | ### ABNF Syntax
 13 | 
 14 | ABNF syntax used as per
 15 | [RFC5234: Augmented BNF for Syntax Specifications: ABNF](https://datatracker.ietf.org/doc/html/rfc5234).
 16 | 
 17 | ABNF rules are used from [RFC3986: Uniform Resource Identifier (URI): Generic Syntax - Appendix A. Collected ABNF for URI](https://datatracker.ietf.org/doc/html/rfc3986/#appendix-A).
 18 | 
 19 | These additional rules are defined:
 20 | 
 21 | ```abnf
 22 | system-url       = supported-scheme ":" hier-part
 23 |                        ; a system defined URL
 24 |                        ; hier-part as defined in RFC3986
 25 | supported-scheme = "http" / "https"
 26 | ```
 27 | 
 28 | See also: [RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content](https://datatracker.ietf.org/doc/html/rfc7231)
 29 | 
 30 | ## Specification Compliance
 31 | 
 32 | An API server/client can be referred to as compliant if it correctly implements
 33 | any of the methods described within this specification. It is not a
 34 | requirement to implement all the methods described.
 35 | 
 36 | ## BOM Retrieval
 37 | 
 38 | This method is for retrieving a BOM from a system.
 39 | 
 40 | The BOM retrieval URL MUST comply with this syntax:
 41 | 
 42 | ```abnf
 43 | bom-retrieval-url    = system-url "?" bom-identifier-query
 44 | bom-identifier-query = "bomIdentifier=" bom-identifier
 45 | bom-identifier       = *( pchar / "/" / "?" )
 46 |                         ; an identifier that uniquely identifies a BOM
 47 |                         ; pchar as defined in RFC3986
 48 | ```
 49 | 
 50 | The HTTP request method MUST be `GET`.
 51 | 
 52 | For CycloneDX BOMs the `bom-identifier` MUST be either a CDX URN (https://www.iana.org/assignments/urn-formal/cdx)
 53 | or a BOM serial number UUID URN (https://cyclonedx.org/docs/1.4/json/#serialNumber).
 54 | 
 55 | For SPDX documents the `bom-identifier` MUST be the SPDX Document Namespace
 56 | (https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field).
 57 | 
 58 | ### Server Requirements
 59 | 
 60 | Servers MAY require authorization. If authorization is required it MUST
 61 | use the HTTP `Authorization` header. If a server requires authorization, and
 62 | no `Authorization` request header is supplied by the client, the server
 63 | MUST respond with a 401 Unauthorized response.
 64 | 
 65 | Servers MUST honour the requested content types in the `Accept` header. If
 66 | the server does not support any of the requested content types a HTTP 406 response
 67 | MUST be returned. The 406 response body MUST contain a list of server supported
 68 | content types in the below format with `text/plain` content type.
 69 | 
 70 | ```abnf
 71 | media-type *(", " media-type)
 72 | ```
 73 | 
 74 | e.g. `application/vnd.cyclonedx+xml; version=1.4, application/vnd.cyclonedx+xml; version=1.3`
 75 | 
 76 | API servers MUST provide the correct `Content-Type` HTTP response header. For example:
 77 | 
 78 | ```http
 79 | Content-Type: application/vnd.cyclonedx+xml; version=1.4
 80 | ```
 81 | 
 82 | If a BOM serial number UUID URN is used as the `bom-identifier`, the server
 83 | MUST respond with the latest available version of the BOM.
 84 | 
 85 | ### Client Requirements
 86 | 
 87 | - Clients MUST support an optional `Authorization` header being specified.
 88 | - Clients MUST provide a `Accept` HTTP request header. For example:
 89 | 
 90 | ```http
 91 | Accept: application/vnd.cyclonedx+xml; version=1.4, application/vnd.cyclonedx+xml; version=1.3
 92 | ```
 93 | 
 94 | ## BOM Submission Endpoint
 95 | 
 96 | This method is for submitting a BOM to a system.
 97 | 
 98 | The BOM submission URL MUST comply with this syntax:
 99 | 
100 | ```abnf
101 | bom-submission-url = system-url
102 | ```
103 | 
104 | The HTTP request method MUST be `POST`.
105 | 
106 | ### Server Requirements
107 | 
108 | Servers MAY require authorization. If authorization is required it MUST
109 | use the HTTP `Authorization` header. If a server requires authorization, and
110 | no `Authorization` request header is supplied by the client, the server
111 | MUST respond with a 401 Unauthorized response.
112 | 
113 | Servers MUST honour the specified content type in the `Content-Type` header. If
114 | the server does not support the supplied content type a HTTP 415 Unsupported
115 | Media Type response MUST be returned. The 415 response body MUST contain a list
116 | of server supported content types in the below format with `text/plain` content type.
117 | 
118 | ```abnf
119 | media-type *(", " media-type)
120 | ```
121 | 
122 | e.g. `application/vnd.cyclonedx+xml; version=1.4, application/vnd.cyclonedx+xml; version=1.3`
123 | 
124 | If the submitted BOM has been successfully submitted the API server MUST
125 | respond with an appropriate 2xx HTTP status code.
126 | 
127 | ### Client Requirements
128 | 
129 | Clients MUST support an optional `Authorization` header being specified.
130 | 
131 | Clients MUST provide the correct `Content-Type` HTTP request header. For example:
132 | 
133 | ```http
134 | Content-Type: application/vnd.cyclonedx+xml; version=1.4
135 | ```
136 | 


--------------------------------------------------------------------------------
/auth/readme.md:
--------------------------------------------------------------------------------
 1 | # Transparency Exchange API - Authentication and authorization
 2 | 
 3 | This document covers authentication and authorization on the consumer side
 4 | of a TEA service - the discovery and download of software transparency artefacts.
 5 | 
 6 | ## Requirements
 7 | 
 8 | __Authorization__: A user of a TEA service may get access to all objects (components, collections) and
 9 | artefacts or just a subset, depending on the publisher of the data. Authorization is connected
10 | to __authentication__. 
11 | 
12 | The level of authorization is up to the implementer of the TEA implementation and the publisher,
13 | whether an identity gets access to all objects in a service or just a subset.
14 | 
15 | In order to get interoperability between clients and servers implementing the protocol, the
16 | specification focuses on the authentication. After successful authentication, the authorization
17 | may be implemented in multiple ways - on various levels of the API - depending on what information
18 | the user can access.
19 | 
20 | As an example, one implementation may publish all information about existing artefacts and software
21 | versions openly, but restrict access to artefacts to those that match the customers installation.
22 | Another implementation can implement a filter that does not show products and versions ("components") that
23 | the customer has not aquired.
24 | 
25 | For most Open Source projects, implementing authentication - setting up accounts and managing
26 | authorization - does not make much sense, since the information is usually in the open any way.
27 | 
28 | This specification does not impose any requirement on authentication on a TEA service. But should
29 | the provider implement authentication, two methods are supported in order to promote interoperability.
30 | 
31 | * HTTP Bearer Token Authentication
32 | * Mutual TLS with verifiable client and server certificates
33 | 
34 | A client may use both HTTP bearer token auth and TLS client certificates
35 | when accessing multiple TEA services. It is up to the service provider to select authentication.
36 | 
37 | ## HTTP bearer token auth
38 | 
39 | The API will support HTTP bearer token in the __Authorization:__ http header.
40 | How the token is aquired is out of scope for this
41 | specification, as is the potential content of the token.
42 | 
43 | As an example the token can be downloaded from a customer support portal with a long-term
44 | validity. This token is then installed into the software transparency platform (the TEA client)
45 | and used to automatically retrieve software transparency artefacts.
46 | 
47 | For each TEA service, one bearer token is needed. The token itself (or the backend) should
48 | specify authorization for the token.
49 | 
50 | ## Mutual TLS
51 | 
52 | For Mutual TLS the client certificates will be managed by the service and provided
53 | in a service-specific way. Clients should be able to configure a separate client certificate
54 | (and private key) on a per-service level, not assuming that a client certificate
55 | for one service is trusted anywhere else.
56 | 
57 | ## References
58 | 
59 | * RFC 6750: The Oauth 2.0 Authorization Framework: Bearer Token 
60 |   Usage (https://www.rfc-editor.org/rfc/rfc6750)
61 | 


--------------------------------------------------------------------------------
/contributors.md:
--------------------------------------------------------------------------------
 1 | # Contributors
 2 | 
 3 | Many people have contributed with good ideas during meetings, feedback during personal
 4 | interactions. A huge Thank You to everyone that has supported the work in
 5 | this project!
 6 | 
 7 | A few persons have contributed with documentation, API specifications and other
 8 | work during our meetings and workshops. They are noted here in alphabetic order:
 9 | 
10 | * Anthony Harrison, APH10, United Kingdom
11 | * Olle E. Johansson, Project lead, Edvina AB, Sweden, oej@edvina.net
12 | * Mark Symons
13 | * Paul Horton, Sonatype Inc., paul.horton@owasp.org, [@madaph](https://github.com/madpah)
14 | * Pavel Shukhman, Reliza, Canada, pavel@reliza.io
15 | * Piotr P. Karwasz, The Apache Software Foundation, pkarwasz-ecma@apache.org
16 | * Steve Springett
17 | * Valerio Mulas
18 | * Viktor Petersson, sbomify, United Kingdom, hello@sbomify.com
19 | 
20 | 


--------------------------------------------------------------------------------
/discovery/readme.md:
--------------------------------------------------------------------------------
  1 | # Transparency Exchange API - Discovery
  2 | 
  3 | **NOTE**: _This is a proposal for the WG_
  4 | 
  5 | - [From product identifier to API endpoint](#from-product-identifier-to-api-endpoint)
  6 | - [Advertising the TEI](#advertising-the-tei)
  7 | - [TEA Discovery - defining an extensible identifier](#tea-discovery---defining-an-extensible-identifier)
  8 | - [The TEI URN: An extensible identifier](#the-tei-urn-an-extensible-identifier)
  9 |   - [TEI syntax](#tei-syntax)
 10 |   - [TEI types](#tei-types)
 11 |   - [TEI resolution using DNS](#tei-resolution-using-dns)
 12 | - [Connecting to the API](#connecting-to-the-api)
 13 |   - [Overview: Finding the Index using DNS result](#overview-finding-the-index-using-dns-result)
 14 | - [The TEA Version Index](#the-tea-version-index)
 15 | - [References](#references)
 16 | 
 17 | ## From product identifier to API endpoint
 18 | 
 19 | TEA Discovery is the connection between a product identifier and the API endpoint.
 20 | A "product" is something that the customer aquires or downloads. It can be a bundle
 21 | of many digital devices or software applications. A "product" normally also has an
 22 | entry in a large corporation's asset inventory system.
 23 | 
 24 | A product identifier is embedded in a URN where the identifier is one of many existing
 25 | identifiers or a random string - like an EAN or UPC bar code, UUID, product
 26 | number or PURL.
 27 | 
 28 | The goal is for a user to add this URN to the transparency platform (sometimes with an
 29 | associated authentication token) and have the platform access the required artifacts
 30 | in a highly automated fashion.
 31 | 
 32 | ## Advertising the TEI
 33 | 
 34 | The TEI for a product can be communicated to the user in many ways.
 35 | 
 36 | - A QR code on a box
 37 | - On the invoice or delivery note
 38 | - For software with a GUI, in an "about" box
 39 | 
 40 | ## TEA Discovery - defining an extensible identifier
 41 | 
 42 | TEA discovery is the process where a user with a product identifier can discover and download
 43 | artifacts automatically, with or without authentication. A globally unique identifier is
 44 | required for a given product. This identifier is called the Transparency Exchange Identifier (TEI).
 45 | 
 46 | The TEI identifier is based on DNS, which assures a uniqueness per vendor (or open source project)
 47 | and gives the vendor a name space to define product identifiers based on existing or new identifiers
 48 | like EAN/UPC bar code, PURLs or other existing schemes. A given product may have multiple identifiers
 49 | as long as they all resolve into the same destination.
 50 | 
 51 | ## The TEI URN: An extensible identifier
 52 | 
 53 | The TEI, Transparency Exchange Identifier, is a URN schema that is extensible based on existing
 54 | identifiers like EAN codes, PURL and other identifiers. It is based on a DNS name, which leads
 55 | to global uniqueness without new registries.
 56 | 
 57 | The TEI can be shown in the software itself, in shipping documentation, in web pages and app stores.
 58 | TEI is unique for a product, not a version of a software. The TEI consist of three core parts
 59 | 
 60 | A TEI belongs to a single product. A product can have multiple TEIs - like one with a EAN/UPC
 61 | barcode and one with the vendor's product number.
 62 | 
 63 | ### TEI syntax
 64 | 
 65 | ```text
 66 | urn:tei:<type>:<domain-name>:<unique-identifier>
 67 | ````
 68 | 
 69 | - The **`type`** which defines the syntax of the unique identifier part
 70 | - The **`domain-name`** part resolves into a web server, which may not be the API host.
 71 |   - The uniqueness of the name is the domain name part that has to be registred at creation of the TEI.
 72 | - The **`unique-identifier`** has to be unique within the `domain-name`.
 73 |   Recommendation is to use a UUID but it can be an existing article code too
 74 | 
 75 | **Note**: this requires a registration of the TEI URN schema with IANA - [see here](https://github.com/CycloneDX/transparency-exchange-api/issues/18)
 76 | 
 77 | ### TEI types
 78 | 
 79 | The below show examples of TEI where the types are specific known formats or types.
 80 | 
 81 | Reminder: the `unique-identifer` component of the TEI needs only be unique within the `domain-name`.
 82 | 
 83 | #### PURL - Package URL
 84 | 
 85 | Where the `unique-identifier` is a PURL in it's canonical string form.
 86 | 
 87 | Syntax:
 88 | 
 89 | ```text
 90 | urn:tei:purl:<domain-name>:<purl>
 91 | ````
 92 | 
 93 | Example:
 94 | 
 95 | ```text
 96 | urn:tei:purl:cyclonedx.org:pkg:pypi/cyclonedx-python-lib@8.4.0?extension=whl&qualifier=py3-none-any
 97 | ```
 98 | 
 99 | #### SWID
100 | 
101 | Where the `unique-identifier` is a SWID.
102 | 
103 | Syntax:
104 | 
105 | ```text
106 | urn:tei:swid:<domain-name>:<swid>
107 | ````
108 | 
109 | Note that there is a TEI SWID type as well as a PURL SWID type.
110 | 
111 | #### HASH
112 | 
113 | Where the `unique-identifier` is a Hash. Supports the following hash types:
114 | 
115 | - SHA256
116 | - SHA384
117 | - SHA512
118 | 
119 | ```text
120 | urn:tei:hash:<domain-name>:<hashtype>:<hash>
121 | ````
122 | 
123 | Example:
124 | ```text
125 | urn:tei:hash:cyclonedx.org:SHA256:fd44efd601f651c8865acf0dfeacb0df19a2b50ec69ead0262096fd2f67197b9
126 | ```
127 | 
128 | The origin of the hash is up to the vendor to define.
129 | 
130 | #### UUID
131 | 
132 | Where the `unique-identifier` is a UUID.
133 | 
134 | Syntax:
135 | 
136 | ```text
137 | urn:tei:uuid:<domain-name>:<uuid>
138 | ````
139 | 
140 | Example:
141 | ```text
142 | urn:tei:uuid:cyclonedx.org:d4d9f54a-abcf-11ee-ac79-1a52914d44b1
143 | ```
144 | 
145 | 
146 | #### Other types to be defined
147 | 
148 | - EAN
149 | - GS1
150 | - STD
151 | 
152 | ### TEI resolution using DNS
153 | 
154 | The `domain-name` part of the TEI is used in a DNS query to find one or multiple locations for
155 | product transparency exchange information.
156 | 
157 | At the URL a well-known name space is used to find out where the API endpoint is hosted.
158 | This is solved by using the ".well-known" name space as defined by the IETF.
159 | 
160 | - `urn:tei:uuid:products.example.com:d4d9f54a-abcf-11ee-ac79-1a52914d44b1`
161 | - Syntax: `urn:tei:uuid:<name based on domain>:<unique identifier>`
162 | 
163 | The name in the DNS name part points to a set of DNS records.
164 | 
165 | A TEI with `domain-name` `tea.example.com` queries DNS for `tea.example.com`, considering `A`, `AAAA` and `CNAME` records.
166 | These point to the hosts available for the Transparency Exchange API.
167 | 
168 | The TEA client connects to the host using HTTPS and validates the certificate.
169 | The URI is composed of the name with the `/.well-known/tea` prefix added.
170 | 
171 | This results in the base URI (without the product identifier) 
172 | `https://tea.example.com/.well-known/tea/` 
173 | 
174 | 
175 | ## Connecting to the API
176 | 
177 | When connecting to the `.well-known/tea` URI with the unique identifier
178 | a HTTP redirect is **required**.
179 | 
180 | The server MUST redirect HTTP requests for that resource
181 | to the actual "context path" using one of the available mechanisms
182 | provided by HTTP (e.g., using a 301, 303, or 307 response).  Clients
183 | MUST handle HTTP redirects on the `.well-known` URI.  Servers MUST
184 | NOT locate the actual TEA service endpoint at the
185 | `.well-known` URI as per Section 1.1 of [RFC5785].
186 | 
187 | ### Overview: Finding the Index using DNS result
188 | 
189 | Append the product part of the TEI to the URI found
190 | 
191 | - TEI: `urn:tei:uuid:products.example.com:d4d9f54a-abcf-11ee-ac79-1a52914d44b1`
192 | - DNS record: `products.example.com`
193 | - URL: `https://products.example.com/.well-known/tea/d4d9f54a-abcf-11ee-ac79-1a52914d44b1/`
194 | - HTTP 302 redirect to "https://teapot02.consumer.example.com/tea/v2/product/d4d9f54a-abcf-11ee-ac79-1a52914d44b1'
195 | 
196 | Always prefix with the https:// scheme. http (unencrypted) is not valid.
197 | 
198 | - TEI: `urn:tei:uuid:products.example.com:d4d9f54a-abcf-11ee-ac79-1a52914d44b1`
199 | - URL: `https://products.example.com/.well-known/tea/d4d9f54a-abcf-11ee-ac79-1a52914d44b1/`
200 | 
201 | **NOTE:** The `/.well-known/tea` names space needs to be registred.
202 | 
203 | ## The TEA Version Index
204 | 
205 | The resulting URL leads to the TEA version index, which is documented in another document.
206 | One redirect (302) is allowed in order to provide for aliasing, where a single product
207 | has many identifiers. The redirect should not lead to a separate web server.
208 | 
209 | ## References
210 | 
211 | - [IANA .well-known registry](https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml)
212 | - [IANA URI registry](https://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml#urn-namespaces-1)
213 | 


--------------------------------------------------------------------------------
/doc/tea-requirements.md:
--------------------------------------------------------------------------------
 1 | # TEA Requirements
 2 | 
 3 | ## Repository discovery
 4 | Based on an identifier a repository URL needs to be found. The identifier can be:
 5 | 
 6 | - PURL
 7 | - Product name or Product SKU and vendor name
 8 | - EAN bar code
 9 | - Product  SKU
10 | - Vendor UUID
11 | - Hash of object
12 | 
13 | At the base URL well known URLs (ref) needs to point to
14 | 
15 | - A lifecycle status document (using OWASP Common Lifecycle Enumeration, CLE)
16 | - A version list. For each version, a URL will point to where a **collection** can be found
17 | - Vendor Discovery, returns a list of Vendors represented in the repository
18 |   - Vendor Name
19 |   - Vendor ID
20 | 
21 | As an alternative, discovery using a company's ordinary web site should be supported.
22 | This can be handled using the file security.txt (IETF RFC 9116)
23 | 
24 | ## Artifact Discovery based on TEA collections
25 | 
26 | The API MUST provide a way to discover the artifacts that are available for retrieval or further query.
27 | Discovery SHOULD group artifacts together that represent a **collection**
28 | that are directly applicable to a given product with a given version.
29 | Collections are OPTIONAL.
30 | 
31 | - SBOM - Software Bill of Material
32 | - CBOM - Cryptography Bill of Material
33 | - HBOM - Hardware Bill of Material
34 | - VDR - Vulnerability Disclosure Report
35 | - VEX - Vulnerability Exploitability eXchange
36 | - CDXA - Attestation
37 | 
38 | Authn/Authz MUST be supported
39 | 
40 | ## Collection Management
41 | 
42 | The API SHOULD provide a method to manage collections, such as adding new collections,
43 | modifying collections, or deleting existing collections.
44 | 
45 | - Authn/Authz MUST be supported
46 | 
47 | ## Artifact Retrieval
48 | 
49 | The API MUST provide a method in which to retrieve an artifact based on the identity of the artifact.
50 | For example, using CycloneDX BOM-Link to retrieve either the
51 | latest version or specific version of an artifact.
52 | 
53 | ```text
54 | urn:cdx:serialNumber
55 | urn:cdx:serialNumber/version
56 | ```
57 | 
58 | The API needs to provide support for update checks, i.e. to check if a document is
59 | updated without downloading. (possibly etag or HEAD method or similar)
60 | Authn/Authz MUST be supported
61 | 
62 | ## Artifact Publishing
63 | 
64 | The API MUST provide a way to publish an artifact, either standalone or to a collection. 
65 | The detection of duplicate artifacts with the same identity MUST be handled and prevented.
66 | Authn/Authz MUST be supported
67 | 
68 | ## Artifact Versioning
69 | 
70 | The system and API must support artifact versioning for formats that support
71 | versioning such as CycloneDX. For example:
72 | 
73 | - The ability to retrieve the latest SBOM vs a previous (uncorrected) version of the same SBOM.
74 |   Corrections to SBOMs is a supported use case in the NTIA framing document.
75 | - The ability to retrieve the latest VEX along with previous VEX for the same product so
76 |   that time-series decisions are transparently available.
77 | 
78 | Authn/Authz MUST be supported
79 | 
80 | ## insights: Search Artifact Inventory
81 | 
82 | The API MUST provide a way to search the inventory of a specific BOM or all available BOMs
83 | for a given component or service. The API SHOULD support multiple identity formats including
84 | PURL, CPE, SWID, GAV, GTIN, and GMN.
85 | 
86 | For example:
87 | 
88 | - Return the identity of all BOMs that have a vulnerable version of Apache Log4J: 
89 |   `pkg:maven/org.apache.logging.log4j/log4j-core@2.10.0`
90 | 
91 | The API MUST provide a way to search for the metadata component across all available BOMs. 
92 | The API SHOULD support multiple identity formats including PURL, CPE, SWID, GAV, GTIN, and GMN. 
93 | For example:
94 | 
95 | - Return the identity of all artifacts that describe `cpe:/a:acme:commerce_suite:1.0`.
96 | 
97 | Authn/Authz MUST be supported
98 | 


--------------------------------------------------------------------------------
/doc/tea-usecases.md:
--------------------------------------------------------------------------------
  1 | # TEA Use Cases
  2 | 
  3 | An overview of use cases to consider for the Transparency Exchange API. The use cases
  4 | are marked with a short code for reference. All use cases needs a story like "Alice has bought
  5 | a..."
  6 | 
  7 | The use cases are divided in two categories:
  8 | 
  9 | * Use cases for __customers__ (end-users, manufacturers) to find a repository with 
 10 |   Transparency Artefacts for a single unit purchased
 11 | * Use cases where there are different __products__
 12 |   * This applies after discovery where we need to handle various things a customer may 
 13 |     buy as a single unit
 14 | 
 15 | ## Customer focused use cases
 16 | 
 17 | ### C1: Consumer: Automated discovery based on SBOM identifier
 18 | 
 19 | As a consumer that has an SBOM for a product, I want to be able to retrieve VEX and VDR files automatically both for current and old versions of the software. In the SBOM the product is identified by a PURL or other means (CPE, …)
 20 | 
 21 | 
 22 | ### C2: Consumer: Automation based on product name/identifier
 23 | 
 24 | As a consumer, I want to download artifacts for a product based on known data.
 25 | A combination of manufacturer, product name, vendor product ID, EAN bar code or other unique identifier.
 26 | After discovering the base repository URL I want to be able to find a specific 
 27 | product variant and version.
 28 | 
 29 | If the consumer is a business, then the procurement process may include delivery of an SBOM with proper identifiers and possibly URLs or identifiers in another document, which may bootstrap the discovery process in a more exact way than in the case of buying a product in a retail market.
 30 | Alice bought a gadget at the gadget store that contains a full Linux system. Where and how will she find the SBOM and VEX for the gadget?
 31 | 
 32 | ### C3: Consumer: Artifact retrieval 
 33 | 
 34 | As a consumer, I want to retrieve one or more supply chain artifacts for the products that I have access to, possibly through licensing or other means. As a consumer, I should be able to retrieve all source artifacts such as xBOMs, VDR/VEX, CDXA, and CLE.
 35 | 
 36 | ### C4: Consumer: Summarized CLE
 37 | 
 38 | As a consumer, I want the ability to get the current lifecycle values for a given product.
 39 | A CLE captures all lifecycle events over time, however, there is a need to retrieve only the current values for things like product name, vendor name, and milestone events.
 40 | 
 41 | ### C5: Consumer: Insights
 42 | 
 43 | As a consumer, I want the ability to simply ask the API questions rather than having to download,
 44 | process, and analyze raw supply chain artifacts on my own systems. Common questions should be
 45 | provided by the API by default along with the ability to query for more complex answers using 
 46 | the Common Expression Language (CEL). 
 47 | 
 48 | _NOTE_: Project Hyades (Dependency-Track v5) already implements CEL with the CycloneDX object model and has proven that this approach works for complex queries.
 49 | 
 50 | ### D1: Developer/PM - Components for inclusion in products by other projects/developers
 51 | 
 52 | A developer needs a component - software, library (open source and/or proprietary) to include
 53 | in a product - publicly available (may be commercial) or in an internal system.
 54 | Developer can be individual, company or public sector.
 55 | They need insight into the library or component and be able to automatically keep upstream
 56 | artefacts up to date.
 57 | 
 58 | ### B1: Business consumer
 59 | 
 60 | Acme LLC buys 3 000 gadgetrons from Emca LTD to be distributed over a retail chain. Acme runs an in-house vulnerability management system (Dependency Track) to manage SBOMs and download VEX files to check for vulnerabilities. Acme has products from exactly 14.385 vendors in the system.
 61 | How will their systems get continuous access to current and old documents - attestations, SBOM, VEX and other files?
 62 | 
 63 | ### E1: Third party: Regulators
 64 | 
 65 | Alice & Bob Enterprises AB has gotten a EUCC certification to get their Whola Firewall certified
 66 | for CRA-compatible CE labeling. In order to maintain the certification the certifying body needs
 67 | access to SBOM and VEX updates from A&BE in an automated way.
 68 | 
 69 | ### E2: External potential customer - insights before purchase
 70 | 
 71 | Palme Auditors INC wants to buy the ACME SWISH product from a vendor. They want to examine vulnerability handling and get some insights into the products before making a decision.
 72 | 
 73 | ### E3: Hacker or competition
 74 | 
 75 | There are non-customers and not-to-be-customers that wants to get insight into how a product is
 76 | composed by getting the transparency docs.
 77 | 
 78 | ### E4: Open Source user
 79 | 
 80 | Palme Inc considers using the asterisk.org open source telephony PBX.
 81 | They need to make an assessment before starting tests and possible production use.
 82 | The can either use the Debian package, the Alpine Linux Package or build a binary themselves from source code.
 83 | How can they find the transparency exchange data sets?
 84 | 
 85 | 
 86 | ### O1: Open Source project
 87 | 
 88 | The hatturl open source project publish a library and a server side software on Github. This is
 89 | later packaged as packages in many Linux distributions.
 90 | 
 91 | How does the project publish artefacts? What are the requirements?
 92 | 
 93 | ## Product focused use cases
 94 | 
 95 | ### P1: A standalone app
 96 | 
 97 | Customer buys a standalone application that is delivered as a binary
 98 | 
 99 | ### P2: A OCI container
100 | 
101 | Customer gets a container with many third party components and a binary
102 | software developed by the manufacturer
103 | 
104 | ### P3: Embedded system
105 | 
106 | ### P4: Package with many devices
107 | 
108 | ### P5: An Open Source software library
109 | 


--------------------------------------------------------------------------------
/images/Project-Koala.svg:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8" standalone="no"?>
  2 | <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  3 | <svg width="100%" height="100%" viewBox="0 0 1200 500" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
  4 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
  5 |         <path d="M388.42,221.5C399.41,219.38 410.76,218.5 421.85,220.33C433.95,221.93 445.65,225.65 457,230.01C468.8,236.02 480.65,242.49 490.17,251.85C492.9,254.45 494.57,258.1 497.72,260.26C502.81,262.69 508.33,264.51 512.67,268.26C518.71,273.56 524.68,278.96 530.01,284.97C534.59,290.2 539.29,295.48 542.21,301.86C534.5,299.67 526.74,297.45 518.69,296.98C520.11,300.54 521.79,303.98 523.66,307.33C528.08,315.2 530.43,324.09 531.27,333.04C532.31,343.6 532.9,354.51 529.84,364.8C528.52,370.2 525.72,375.99 528.43,381.44C524.9,379.16 524.21,374.55 521.11,371.87C518.65,369.7 515.3,369.14 512.24,368.31C512.07,367.15 511.92,365.99 511.8,364.83C513.06,345.68 511.2,326 503.95,308.1C500.24,296.76 495.64,285.38 487.75,276.25C482.51,270.18 477.45,263.75 470.64,259.36C462.01,253.26 452.12,249.39 442.29,245.72C434.26,242.79 425.75,241.44 417.28,240.58C403.86,239.33 390.43,241.83 377.6,245.62C371.61,247.51 366.1,250.61 360.61,253.63C351.76,258.34 344.32,265.24 337.2,272.19C329.97,279.46 326.01,288.99 322.02,298.24C321.95,294.9 321.94,291.52 322.64,288.24C325.65,280.12 329.72,272.43 333.73,264.76C336.9,258.56 341.85,253.6 346.3,248.33C351.78,241.72 358.94,236.85 365.78,231.78C372.49,226.78 380.29,223.37 388.42,221.5Z" style="fill:rgb(206,202,209);fill-rule:nonzero;"/>
  6 |     </g>
  7 |     <g transform="matrix(-1.01505,0,0,1,1154.63,-218.625)">
  8 |         <path d="M388.42,221.5C399.41,219.38 410.76,218.5 421.85,220.33C433.95,221.93 445.65,225.65 457,230.01C468.8,236.02 480.65,242.49 490.17,251.85C492.9,254.45 494.57,258.1 497.72,260.26C502.81,262.69 508.33,264.51 512.67,268.26C518.71,273.56 524.68,278.96 530.01,284.97C534.59,290.2 539.29,295.48 542.21,301.86C534.5,299.67 526.74,297.45 518.69,296.98C520.11,300.54 521.79,303.98 523.66,307.33C528.08,315.2 530.43,324.09 531.27,333.04C532.31,343.6 532.9,354.51 529.84,364.8C528.52,370.2 525.72,375.99 528.43,381.44C524.9,379.16 524.21,374.55 521.11,371.87C518.65,369.7 515.3,369.14 512.24,368.31C512.07,367.15 510.938,365.99 510.818,364.83C512.078,345.68 508.869,326.187 501.619,308.287C499.082,300.531 494.513,291.501 489.201,284.16C486.747,280.768 481.55,274.561 480.291,273.086C476.691,268.867 474.757,266.577 468.176,261.19C459.698,254.249 454.693,251.162 447.043,248.061C438.58,244.631 423.539,241.484 415.069,240.624C401.649,239.374 390.43,241.83 377.6,245.62C371.61,247.51 365.6,252.718 360.11,255.738C351.26,260.448 345.357,267.609 338.237,274.559C331.007,281.829 327.217,302.233 320.097,308.531C320.027,305.191 321.94,291.52 322.64,288.24C325.65,280.12 329.72,272.43 333.73,264.76C336.9,258.56 341.85,253.6 346.3,248.33C351.78,241.72 358.94,236.85 365.78,231.78C372.49,226.78 380.29,223.37 388.42,221.5Z" style="fill:rgb(206,202,209);fill-rule:nonzero;"/>
  9 |     </g>
 10 |     <path d="M707.93,81.288C714.36,79.048 720.81,76.258 727.73,76.228C732.79,76.098 737.86,76.188 742.88,76.798C751.59,77.608 759.6,81.568 767.1,85.818C773.02,89.708 779.2,93.738 783.18,99.748C775.14,98.478 766.79,97.778 758.9,100.318C757.36,100.468 755.78,100.788 754.25,100.468C752.5,98.958 751.32,96.898 749.62,95.338C748.37,95.848 747.18,96.518 746,97.178C745.35,96.418 744.71,95.658 744.07,94.908C741.98,98.088 740.47,102.448 736.39,103.518C730.72,105.238 724.77,106.788 718.8,105.838C714.57,105.208 710.29,105.658 706.07,106.168C705.88,103.608 705.69,101.038 705.5,98.478C704.01,98.218 702.52,97.958 701.03,97.708C701.7,94.878 702.36,92.048 703.06,89.238C702.19,88.558 701.32,87.878 700.44,87.208C697.4,91.038 694.68,95.188 690.79,98.238C693.26,90.218 700.12,84.008 707.93,81.288ZM690.79,98.238C694.68,95.188 697.4,91.038 700.44,87.208C701.32,87.878 702.19,88.558 703.06,89.238C702.36,92.048 701.7,94.878 701.03,97.708C702.52,97.958 704.01,98.218 705.5,98.478C705.69,101.038 705.88,103.608 706.07,106.168C710.29,105.658 714.57,105.208 718.8,105.838C724.77,106.788 730.72,105.238 736.39,103.518C740.47,102.448 741.98,98.088 744.07,94.908C744.71,95.658 745.35,96.418 746,97.178C747.18,96.518 748.37,95.848 749.62,95.338C751.32,96.898 752.5,98.958 754.25,100.468C755.78,100.788 757.36,100.468 758.9,100.318C751.64,102.708 744.97,106.628 738.82,111.138C734.54,114.228 731.12,118.378 728.64,123.018C725.28,129.268 721.86,135.828 721.59,143.068C720.97,150.988 723.16,158.948 727.2,165.728C729.39,169.298 733.05,171.538 736.23,174.128C730.78,173.488 725.8,171.098 720.78,169.058C713.16,166.008 706.3,161.138 701.12,154.768C689.44,141.618 683.7,123.038 687.5,105.708C688.24,103.108 688.75,100.168 690.79,98.238Z" style="fill:rgb(252,208,207);fill-rule:nonzero;"/>
 11 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 12 |         <path d="M101.11,290.22C109,287.68 117.35,288.38 125.39,289.65C127.34,289.99 127.64,292.41 128.58,293.81C117.92,300.4 109.08,309.63 101.66,319.66C97.64,324.72 93.47,329.72 90.45,335.48C85.61,344.6 80.09,353.65 78.44,364.03C75.26,361.44 71.6,359.2 69.41,355.63C65.37,348.85 63.18,340.89 63.8,332.97C64.07,325.73 67.49,319.17 70.85,312.92C73.33,308.28 76.75,304.13 81.03,301.04C87.18,296.53 93.85,292.61 101.11,290.22Z" style="fill:rgb(235,172,186);fill-rule:nonzero;"/>
 13 |     </g>
 14 |     <path d="M1052.99,111.288C1063.65,108.918 1074.82,108.288 1085.58,110.358C1092.57,112.158 1099.31,115.368 1104.85,120.048C1112.37,126.888 1117.04,137.408 1115.21,147.638C1114.08,144.028 1113.09,140.378 1112.47,136.648C1111.62,136.978 1110.78,137.308 1109.94,137.638C1110.18,135.428 1110.4,133.218 1110.59,131.008C1108.22,134.458 1107.46,138.608 1107.2,142.708C1104.1,142.928 1101,143.148 1097.9,143.368C1097.91,143.988 1097.92,145.238 1097.93,145.858C1100.5,146.018 1103.07,146.178 1105.64,146.348C1105.65,146.978 1105.66,148.218 1105.67,148.838C1102.54,148.988 1099.32,148.798 1096.3,149.738C1093.95,150.738 1092.11,152.588 1090.16,154.178C1089.41,146.258 1090.01,138.308 1089.67,130.378C1086.98,130.138 1084.3,129.918 1081.62,129.718C1083.62,129.388 1085.63,129.058 1087.65,128.748C1087.21,127.928 1086.77,127.108 1086.34,126.298C1083.96,126.688 1081.59,127.118 1079.23,127.588C1079.56,128.438 1079.9,129.278 1080.24,130.138C1076.56,130.098 1072.87,130.138 1069.19,130.238C1068.9,131.838 1068.62,133.448 1068.34,135.068C1064.67,134.468 1060.14,134.398 1058.43,130.448C1055.22,130.468 1052.02,130.788 1048.84,131.178C1051.69,133.218 1054.46,135.388 1056.91,137.898C1056.36,137.978 1055.26,138.148 1054.7,138.228C1045.78,132.068 1034.25,129.368 1023.68,132.298C1022.63,132.418 1021.59,132.468 1020.55,132.448C1028.05,121.548 1040.27,114.378 1052.99,111.288ZM1079.23,127.588C1081.59,127.118 1083.96,126.688 1086.34,126.298C1086.77,127.108 1087.21,127.928 1087.65,128.748C1085.63,129.058 1083.62,129.388 1081.62,129.718C1084.3,129.918 1086.98,130.138 1089.67,130.378C1090.01,138.308 1089.41,146.258 1090.16,154.178C1092.11,152.588 1093.95,150.738 1096.3,149.738C1099.32,148.798 1102.54,148.988 1105.67,148.838C1105.66,148.218 1105.65,146.978 1105.64,146.348C1103.07,146.178 1100.5,146.018 1097.93,145.858C1097.92,145.238 1097.91,143.988 1097.9,143.368C1101,143.148 1104.1,142.928 1107.2,142.708C1107.46,138.608 1108.22,134.458 1110.59,131.008C1110.4,133.218 1110.18,135.428 1109.94,137.638C1110.78,137.308 1111.62,136.978 1112.47,136.648C1113.09,140.378 1114.08,144.028 1115.21,147.638C1115.99,151.218 1114.77,154.858 1114.05,158.348C1110.97,171.328 1103.15,182.778 1093.26,191.558C1082.83,199.328 1070.36,204.118 1057.71,206.788C1057.81,206.218 1058.02,205.068 1058.12,204.488C1061.37,203.308 1064.89,202.258 1067.27,199.588C1073.14,192.948 1075.62,183.818 1075.09,175.068C1075.03,166.098 1071.53,157.558 1066.89,150.018C1063.88,145.138 1059.25,141.588 1054.7,138.228C1055.26,138.148 1056.36,137.978 1056.91,137.898C1054.46,135.388 1051.69,133.218 1048.84,131.178C1052.02,130.788 1055.22,130.468 1058.43,130.448C1060.14,134.398 1064.67,134.468 1068.34,135.068C1068.62,133.448 1068.9,131.838 1069.19,130.238C1072.87,130.138 1076.56,130.098 1080.24,130.138C1079.9,129.278 1079.56,128.438 1079.23,127.588Z" style="fill:rgb(252,208,207);fill-rule:nonzero;"/>
 15 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 16 |         <path d="M365.89,322.2C376.46,319.27 387.99,321.97 396.91,328.13C401.46,331.49 406.09,335.04 409.1,339.92C413.74,347.46 417.24,356 417.3,364.97C417.83,373.72 415.35,382.85 409.48,389.49C407.1,392.16 403.58,393.21 400.33,394.39C399.34,384.06 397.06,373.77 392.81,364.27C389.53,355.7 385.75,347.2 380.15,339.85C375.6,333.81 371.13,327.67 365.89,322.2Z" style="fill:rgb(237,172,187);fill-rule:nonzero;"/>
 17 |     </g>
 18 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 19 |         <path d="M499.44,403.48C505.73,391.43 509.88,378.28 511.8,364.83C511.92,365.99 512.07,367.15 512.24,368.31C515.3,369.14 518.65,369.7 521.11,371.87C524.21,374.55 524.9,379.16 528.43,381.44C530.55,385.43 531.84,389.8 532.46,394.27C524.84,390.4 518.18,384.9 512.15,378.9C509.62,387.05 507.35,395.45 502.74,402.73C497.27,412.47 489.96,421.26 480.77,427.71C481.27,426.09 481.9,424.46 483.26,423.37C489.73,417.71 494.73,410.6 499.44,403.48Z" style="fill:rgb(191,190,201);fill-rule:nonzero;"/>
 20 |     </g>
 21 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 22 |         <path d="M134.61,385.62C144.53,381.49 156.32,383.76 164.54,390.46C171.12,396.32 175.56,404.58 176.51,413.37C177.5,423.05 177.8,433.64 172.07,442.04C166.97,447.82 160.6,452.62 153.31,455.25C150.01,456.55 146.43,456.02 143.04,455.45C143.27,454.82 143.73,453.57 143.96,452.94C151.76,452.39 159.61,448.61 164.12,442.06C169.51,435.02 170.74,425.69 170.13,417.08C169.33,408.18 163.44,400.44 155.72,396.26C148.96,393.02 141.06,392.35 133.77,393.95C126.41,395.98 119.64,400.74 115.73,407.37C115.74,405.86 115.69,404.35 115.73,402.85C119.32,394.77 126.07,388.2 134.61,385.62Z" style="fill:rgb(248,250,249);fill-rule:nonzero;"/>
 23 |     </g>
 24 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 25 |         <path d="M133.77,393.95C141.06,392.35 148.96,393.02 155.72,396.26C163.44,400.44 169.33,408.18 170.13,417.08C170.74,425.69 169.51,435.02 164.12,442.06C159.61,448.61 151.76,452.39 143.96,452.94C142.03,452.81 140.1,452.61 138.2,452.32C121.1,449.36 109.82,430.29 113.78,413.76C114.3,411.59 115.04,409.49 115.73,407.37C119.64,400.74 126.41,395.98 133.77,393.95M151.67,429.81C153.37,431.87 155.58,433.43 158.11,434.33C156.98,431.6 154.42,430.32 151.67,429.81M144.38,433.47C140.78,434.4 137.6,438.65 139.78,442.23C143.82,446.76 152.14,446.74 155.71,441.66C155.87,439.17 154.56,436.79 153.45,434.64C151.23,432.03 147.29,432.38 144.38,433.47Z" style="fill:rgb(5,5,7);fill-rule:nonzero;"/>
 26 |     </g>
 27 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 28 |         <path d="M199.84,405.83C206.88,400.79 215.18,397.13 223.94,396.87C236.89,396.61 250.24,401.23 259.2,410.82C272.2,423.72 275.8,443.15 274.57,460.8C273.3,471.93 269.84,482.74 264.4,492.53C261.69,496.97 258.08,500.81 254.01,504.03C249.52,507.49 244.17,509.53 239.38,512.5C238.36,512.31 237.33,512.17 236.3,512.09C225.9,512.79 215.27,512.09 205.27,509.02C192.1,502.4 182.54,489.05 180.39,474.49C179.2,462.77 178.71,450.91 180.25,439.19C181.85,433.05 183.43,426.84 186.12,421.08C189.38,414.99 194.14,409.72 199.84,405.83Z" style="fill:rgb(6,7,9);fill-rule:nonzero;"/>
 29 |     </g>
 30 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 31 |         <path d="M21.3,408.93C30.25,411.75 39.74,410.9 48.96,411.73C57.26,412.44 65.59,411.93 73.9,411.75C74.13,415.52 74.46,419.32 75.53,422.97C71.88,425.64 68.2,428.47 63.81,429.8C57.08,431.96 49.91,430.98 43.02,430.39C39.37,430.01 35.63,428.68 32.02,430.02C25.03,432.25 17.88,433.95 10.62,435.02C10.66,434.24 10.74,432.68 10.78,431.89C13.08,423.73 16.97,416.18 21.3,408.93Z" style="fill:rgb(206,204,210);fill-rule:nonzero;"/>
 32 |     </g>
 33 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 34 |         <path d="M300.11,423.1C305.83,417.93 313.16,414.14 320.97,413.75C327.16,413.37 333.8,413.52 339.31,416.73C346.77,421.19 352.14,428.74 354.38,437.11C354.37,440.21 353.85,443.28 353.33,446.33C352.17,440.8 349.77,435.32 345.31,431.67C339.55,427.12 332.44,424.08 325.04,423.91C314.92,422.54 305.24,428.62 299.45,436.52C295.18,442.03 295.13,449.36 295.52,455.99C296.07,463.19 297.25,471.02 302.61,476.35C304.13,477.95 305.73,479.5 307.46,480.89C311.08,483.44 315.34,484.81 319.44,486.37C311.97,489.69 304.25,485.1 298.46,480.56C292.58,476.14 289.87,468.93 288.5,461.95C287.26,448.38 289.4,432.67 300.11,423.1Z" style="fill:rgb(251,252,249);fill-rule:nonzero;"/>
 35 |     </g>
 36 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 37 |         <path d="M151.67,429.81C153.138,430.082 154.552,430.574 155.723,431.389C156.746,432.1 157.583,433.057 158.11,434.33C155.58,433.43 153.37,431.87 151.67,429.81Z" style="fill:rgb(44,46,49);fill-rule:nonzero;"/>
 38 |     </g>
 39 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 40 |         <path d="M144.38,433.47C147.29,432.38 151.23,432.03 153.45,434.64C154.56,436.79 155.87,439.17 155.71,441.66C152.14,446.74 143.82,446.76 139.78,442.23C137.6,438.65 140.78,434.4 144.38,433.47Z" style="fill:rgb(251,253,253);fill-rule:nonzero;"/>
 41 |     </g>
 42 |     <path d="M769.46,239.478C769.76,230.548 768.5,220.898 773.52,212.948C773.48,214.448 773.53,215.958 773.52,217.468C772.83,219.588 772.09,221.688 771.57,223.858C767.61,240.388 778.89,259.458 795.99,262.418C794.9,263.588 793.82,264.758 792.75,265.938C791.5,265.058 790.26,264.178 789.02,263.298C790.79,267.768 791.86,273.178 789.26,277.548C788.01,279.788 785.24,282.328 787.35,284.948C789.39,285.418 791.82,284.848 793.56,286.208C795.32,288.518 795.75,291.498 796.55,294.228C795.89,297.118 795.43,300.048 794.67,302.928C794.94,297.818 792.83,292.978 788.81,289.798C783.26,285.378 775.97,284.028 769.07,283.418C767.53,283.268 765.99,283.118 764.46,282.978C766.17,290.708 769.96,297.688 773.96,304.438C770.38,303.188 767.39,300.798 764.65,298.248C762.69,301.158 760.69,304.048 758.6,306.868C759.25,307.928 759.9,308.998 760.56,310.068C759.9,310.828 759.25,311.578 758.6,312.348C753.63,306.858 750.81,299.938 747.38,293.488C743.53,286.178 741.89,278.018 739.89,270.078C738.22,263.438 737.08,256.688 735.9,249.948C734.89,244.338 734.88,238.568 733.32,233.068C732.25,229.418 731.92,225.618 731.69,221.848C732.76,224.548 733.8,227.258 734.84,229.968C735.71,229.578 736.59,229.198 737.47,228.818C736.59,228.158 735.71,227.498 734.83,226.848C741.14,226.158 747.79,224.868 753.95,226.998C760.6,229.308 762.66,237.418 769.46,239.478ZM695.74,32.048C713.4,23.978 733.22,20.688 752.54,22.468C759.91,23.138 767.02,25.378 773.92,27.978C781.49,30.858 788.18,35.508 794.89,39.948C799.05,42.698 803.12,45.688 806.38,49.488C814.73,59.408 821.85,70.568 825.79,82.998C826.91,86.618 827.71,82.818 829.59,86.108C829.42,83.668 829.89,88.528 829.59,86.108C852.48,79.978 876.43,81.878 899.84,82.258C919.2,83.418 938.48,86.478 957.15,91.768C964.94,93.868 972.49,96.838 980.43,98.338C979.73,101.618 979.74,104.998 979.81,108.338C983.8,99.088 987.76,89.558 994.99,82.288C1002.11,75.338 1009.55,68.438 1018.4,63.728C1023.89,60.708 1029.4,57.608 1035.39,55.718C1048.22,51.928 1061.65,49.428 1075.07,50.678C1083.54,51.538 1092.05,52.888 1100.08,55.818C1109.91,59.488 1119.8,63.358 1128.43,69.458C1135.24,73.848 1140.3,80.278 1145.54,86.348C1153.43,95.478 1158.03,106.858 1161.74,118.198C1168.99,136.098 1170.85,155.778 1169.59,174.928C1167.67,188.378 1163.52,201.528 1157.23,213.578C1152.52,220.698 1147.52,227.808 1141.05,233.468C1139.69,234.558 1139.06,236.188 1138.56,237.808C1128.36,246.228 1115.66,250.528 1103.24,254.458C1097.55,252.918 1091.59,254.088 1085.79,253.968C1074.29,254.318 1062.77,252.838 1051.3,253.878C1051.21,254.878 1051.11,255.888 1050.99,256.898C1049.82,262.418 1047.99,267.778 1047,273.338C1046.48,268.848 1045.73,264.388 1045.25,259.888C1045,262.668 1044.72,265.438 1044.41,268.218C1043.45,264.988 1042.62,261.718 1041.93,258.428C1038.7,258.108 1035.25,258.198 1032.36,256.498C1030.04,255.168 1027.94,253.508 1025.79,251.958C1025.75,245.928 1026.1,239.868 1025.31,233.868C1025,236.588 1024.72,239.318 1024.47,242.048C1022.37,241.998 1020.28,241.958 1018.2,241.908C1017.99,240.708 1017.78,239.508 1017.58,238.328C1016.97,239.198 1016.37,240.078 1015.77,240.968C1014.3,238.748 1012.32,236.938 1009.91,235.788C1011.26,238.378 1012.82,240.858 1014.44,243.288C1013.69,244.598 1012.93,245.898 1012.17,247.208C1009.93,238.838 1004.56,231.288 997.1,226.828C991.59,223.618 984.95,223.468 978.76,223.848C970.95,224.238 963.62,228.028 957.9,233.198C947.19,242.768 945.05,258.478 946.29,272.048C945.24,273.448 944.2,274.838 943.14,276.238C942.05,275.208 940.96,274.198 939.88,273.188C939.46,274.278 939.09,275.408 938.59,276.478C937.95,275.888 937.33,275.298 936.72,274.698C936.64,275.218 936.47,276.258 936.39,276.778C935.04,274.818 933.7,272.848 932.36,270.898C933.59,253.248 929.99,233.818 916.99,220.918C908.03,211.328 894.68,206.708 881.73,206.968C872.97,207.228 864.67,210.888 857.63,215.928C851.93,219.818 847.17,225.088 843.91,231.178C841.22,236.938 839.64,243.148 838.04,249.288C838.02,248.768 837.97,247.738 837.95,247.218C836.31,249.548 834.82,251.978 833.33,254.408C833.5,253.068 833.66,251.748 833.83,250.418C832.44,251.618 831.05,252.818 829.63,253.978C829.68,253.518 829.8,252.598 829.86,252.138C835.59,243.738 835.29,233.148 834.3,223.468C833.35,214.678 828.91,206.418 822.33,200.558C814.11,193.858 802.32,191.588 792.4,195.718C783.86,198.298 777.11,204.868 773.52,212.948C768.5,220.898 769.76,230.548 769.46,239.478C762.66,237.418 760.6,229.308 753.95,226.998C747.79,224.868 741.14,226.158 734.83,226.848C735.71,227.498 736.59,228.158 737.47,228.818C736.59,229.198 735.71,229.578 734.84,229.968C733.8,227.258 732.76,224.548 731.69,221.848C723.38,222.028 715.05,222.538 706.75,221.828C697.53,220.998 688.04,221.848 679.09,219.028C671.13,216.258 662.897,207.815 657.79,200.655C638.275,173.296 633.966,154.291 637.02,120.575C638.092,108.744 641.627,97.878 648.127,82.427L657.79,65.848C661.77,61.218 665.54,56.418 669.41,51.708C676.48,43.168 685.84,36.848 695.74,32.048M707.93,81.288C700.12,84.008 693.26,90.218 690.79,98.238C688.75,100.168 688.24,103.108 687.5,105.708C683.7,123.038 689.44,141.618 701.12,154.768C706.3,161.138 713.16,166.008 720.78,169.058C725.8,171.098 730.78,173.488 736.23,174.128C737.88,163.748 743.4,154.698 748.24,145.578C751.26,139.818 755.43,134.818 759.45,129.758C766.87,119.728 775.71,110.498 786.37,103.908C785.43,102.508 785.13,100.088 783.18,99.748C779.2,93.738 773.02,89.708 767.1,85.818C759.6,81.568 751.59,77.608 742.88,76.798C737.86,76.188 732.79,76.098 727.73,76.228C720.81,76.258 714.36,79.048 707.93,81.288M1052.99,111.288C1040.27,114.378 1028.05,121.548 1020.55,132.448C1021.59,132.468 1022.63,132.418 1023.68,132.298C1028.92,137.768 1033.39,143.908 1037.94,149.948C1043.54,157.298 1047.32,165.798 1050.6,174.368C1054.85,183.868 1057.13,194.158 1058.12,204.488C1058.02,205.068 1057.81,206.218 1057.71,206.788C1070.36,204.118 1082.83,199.328 1093.26,191.558C1103.15,182.778 1110.97,171.328 1114.05,158.348C1114.77,154.858 1115.99,151.218 1115.21,147.638C1117.04,137.408 1112.37,126.888 1104.85,120.048C1099.31,115.368 1092.57,112.158 1085.58,110.358C1074.82,108.288 1063.65,108.918 1052.99,111.288ZM1025.31,233.868C1026.1,239.868 1025.75,245.928 1025.79,251.958C1027.94,253.508 1030.04,255.168 1032.36,256.498C1035.25,258.198 1038.7,258.108 1041.93,258.428C1042.62,261.718 1043.45,264.988 1044.41,268.218C1044.72,265.438 1045,262.668 1045.25,259.888C1045.73,264.388 1046.48,268.848 1047,273.338C1044.18,287.958 1039.86,302.478 1031.96,315.218C1032.41,312.358 1032.78,309.488 1033.3,306.648C1031.52,306.618 1029.75,306.588 1027.97,306.568C1027.81,304.898 1027.66,303.228 1027.5,301.568C1023.61,301.818 1019.35,303.108 1015.72,301.108C1011.69,298.958 1007.43,297.318 1003.09,295.958C1002.93,296.298 1002.61,296.978 1002.45,297.308C998.3,296.458 994.13,295.578 990.19,294.008C998.65,290.498 1005.06,283.388 1008.97,275.248C1011.49,269.338 1011.84,262.738 1011.12,256.428C1011.64,253.378 1012.16,250.308 1012.17,247.208C1012.93,245.898 1013.69,244.598 1014.44,243.288C1012.82,240.858 1011.26,238.378 1009.91,235.788C1012.32,236.938 1014.3,238.748 1015.77,240.968C1016.37,240.078 1016.97,239.198 1017.58,238.328C1017.78,239.508 1017.99,240.708 1018.2,241.908C1020.28,241.958 1022.37,241.998 1024.47,242.048C1024.72,239.318 1025,236.588 1025.31,233.868ZM833.33,254.408C834.82,251.978 836.31,249.548 837.95,247.218C837.97,247.738 838.02,248.768 838.04,249.288C836.5,261.008 836.99,272.868 838.18,284.588C840.33,299.148 849.89,312.498 863.06,319.118C862.55,319.088 861.54,319.018 861.03,318.988C859.63,318.618 858.26,318.158 856.89,317.728C858.59,325.588 859.63,335.068 866.99,339.868C871.95,342.458 877.86,342.948 883.37,342.608C890.54,341.598 894.49,334.618 895.87,328.148C894.96,329.508 894.08,330.888 893.2,332.278C893.61,328.918 893.87,325.548 894.09,322.188C895.12,322.268 896.156,322.315 897.161,322.177C897.477,322.133 897.556,322.141 897.739,322.094C897.822,322.073 897.981,322.036 898.096,321.988C898.257,321.92 898.732,321.691 898.877,321.598C899.952,320.912 901.194,320.346 902.203,319.819C904.998,318.36 906.823,317.421 908.367,316.495C909.292,315.941 919.603,307.284 922.19,302.628C927.63,292.838 931.09,282.028 932.36,270.898C933.7,272.848 935.04,274.818 936.39,276.778C936.47,276.258 936.64,275.218 936.72,274.698C937.33,275.298 937.95,275.888 938.59,276.478C939.09,275.408 939.46,274.278 939.88,273.188C940.96,274.198 942.05,275.208 943.14,276.238C944.2,274.838 945.24,273.448 946.29,272.048C947.66,279.028 950.37,286.238 956.25,290.658C962.04,295.198 969.76,299.788 977.23,296.468C981.6,296.018 986.04,295.568 990.19,294.008C994.13,295.578 998.3,296.458 1002.45,297.308C1002.61,296.978 1002.93,296.298 1003.09,295.958C1007.43,297.318 1011.69,298.958 1015.72,301.108C1019.35,303.108 1023.61,301.818 1027.5,301.568C1027.66,303.228 1027.81,304.898 1027.97,306.568C1029.75,306.588 1031.52,306.618 1033.3,306.648C1032.78,309.488 1032.41,312.358 1031.96,315.218C1024.8,329.738 1014.37,343.488 999.55,350.778C998.79,351.168 998.03,351.568 997.28,351.978C991.21,349.208 985.5,353.688 979.68,354.908C971.04,356.828 962.16,357.358 953.41,358.648C942.94,360.238 932.34,359.548 921.8,359.918C908.78,360.368 895.67,360.208 882.78,358.128C873.62,356.668 864.3,356.438 855.2,354.528C847.05,352.828 838.71,352.228 830.6,350.308C822.86,348.468 814.89,347.418 807.5,344.348C801.9,342.308 796.48,339.168 790.38,339.018L790.01,339.388C778.36,331.898 767.35,323.158 758.6,312.348C759.25,311.578 759.9,310.828 760.56,310.068C759.9,308.998 759.25,307.928 758.6,306.868C760.69,304.048 762.69,301.158 764.65,298.248C767.39,300.798 770.38,303.188 773.96,304.438C775.81,307.018 777.64,309.788 780.31,311.598C786.76,313.568 791.53,307.648 794.67,302.928C795.43,300.048 795.89,297.118 796.55,294.228C795.75,291.498 795.32,288.518 793.56,286.208C791.82,284.848 789.39,285.418 787.35,284.948C785.24,282.328 788.01,279.788 789.26,277.548C791.86,273.178 790.79,267.768 789.02,263.298C790.26,264.178 791.5,265.058 792.75,265.938C793.82,264.758 794.9,263.588 795.99,262.418C797.89,262.708 799.82,262.908 801.75,263.038C801.52,263.668 801.06,264.918 800.83,265.548C804.22,266.118 807.8,266.648 811.1,265.348C818.39,262.718 824.76,257.918 829.86,252.138C829.8,252.598 829.68,253.518 829.63,253.978C831.05,252.818 832.44,251.618 833.83,250.418C833.66,251.748 833.5,253.068 833.33,254.408M1001.77,323.378C996.6,324.158 991.23,321.598 986.22,323.638C982.57,325.348 980.01,328.618 977.36,331.538C976.31,334.258 974.49,337.658 976.56,340.368C979.21,343.138 983.07,344.628 986.85,344.968C990.64,345.298 993.67,342.678 996.54,340.618C1002.85,335.428 1005.77,327.478 1010.52,321.028C1007.62,321.888 1004.76,322.898 1001.77,323.378Z" style="fill:rgb(166,163,169);fill-rule:nonzero;"/>
 43 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 44 |         <path d="M393.51,443.78C404.98,442.74 416.5,444.22 428,443.87C433.8,443.99 439.76,442.82 445.45,444.36C449.9,449.66 455.24,454.15 459.36,459.74C453.05,460.01 446.75,458.92 440.45,459.58C431.9,460.08 423.18,461.11 414.72,459.29C406.41,457.51 399.68,451.98 393.2,446.8C393.32,445.79 393.42,444.78 393.51,443.78Z" style="fill:rgb(208,203,207);fill-rule:nonzero;"/>
 45 |     </g>
 46 |     <path d="M957.24,246.618C963.03,238.718 972.71,232.638 982.83,234.008C990.23,234.178 997.34,237.218 1003.1,241.768C1007.56,245.418 1009.96,250.898 1011.12,256.428C1011.84,262.738 1011.49,269.338 1008.97,275.248C1005.06,283.388 998.65,290.498 990.19,294.008C986.04,295.568 981.6,296.018 977.23,296.468C973.13,294.908 968.87,293.538 965.25,290.988C968.6,287.538 973.55,287.948 977.93,287.338C979.64,286.118 981.579,284.493 981.24,282.128C981.09,281.079 980.819,280.19 980.655,279.543C980.467,278.794 979.696,277.888 979.561,277.815C976.681,276.265 974.35,274.518 970.9,275.068C968.23,275.358 966.18,277.238 964.46,279.128C962.38,281.098 961.21,283.738 960.4,286.448C955.04,281.118 953.86,273.288 953.31,266.088C952.92,259.458 952.97,252.128 957.24,246.618ZM960.4,286.448C961.21,283.738 962.38,281.098 964.46,279.128C964.51,280.938 963.89,283.178 965.66,284.408C968.99,287.338 973.75,287.288 977.93,287.338C973.55,287.948 968.6,287.538 965.25,290.988C963.52,289.598 961.92,288.048 960.4,286.448Z" style="fill:rgb(4,5,6);fill-rule:nonzero;"/>
 47 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 48 |         <path d="M306.657,469.005C308.377,467.115 310.44,465.26 313.11,464.97C315.837,464.183 319.748,465.647 321.9,467.817C323.199,469.127 323.342,470.869 323.45,472.03C323.687,474.568 322.253,476.149 320.14,477.24C315.96,477.19 311.2,477.24 307.87,474.31C306.1,473.08 306.055,471.331 306.657,469.005Z" style="fill:rgb(253,253,251);fill-rule:nonzero;"/>
 49 |     </g>
 50 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 51 |         <path d="M106.67,472.88C108.2,473.02 109.74,473.17 111.28,473.32C110.87,473.48 110.04,473.81 109.63,473.98L108.91,474.25C110.86,477.63 110.98,482.66 114.82,484.56C116.06,487.89 117.33,491.22 118.86,494.44C118.91,492.31 118.91,490.2 119.05,488.08C119.16,487.83 119.39,487.33 119.5,487.08C120.28,489.94 121.02,492.82 121.74,495.71C123.57,495.41 125.95,495.88 127.12,494.06C129.3,491.39 131.14,488.47 133.21,485.73C131.93,484.2 130.65,482.7 129.36,481.19C129.77,480.82 130.61,480.07 131.02,479.7C135.04,482.88 137.15,487.72 136.88,492.83C133.74,497.55 128.97,503.47 122.52,501.5C119.85,499.69 118.02,496.92 116.17,494.34C112.17,487.59 108.38,480.61 106.67,472.88Z" style="fill:rgb(100,70,56);fill-rule:nonzero;"/>
 52 |     </g>
 53 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 54 |         <path d="M111.28,473.32C118.18,473.93 125.47,475.28 131.02,479.7C130.61,480.07 129.77,480.82 129.36,481.19C130.65,482.7 131.93,484.2 133.21,485.73C131.14,488.47 129.3,491.39 127.12,494.06C125.95,495.88 123.57,495.41 121.74,495.71C121.02,492.82 120.28,489.94 119.5,487.08C119.39,487.33 119.16,487.83 119.05,488.08C117.63,486.92 116.24,485.72 114.82,484.56C116.67,484.97 118.53,485.31 120.39,485.68C119.7,484.38 119.01,483.08 118.32,481.79C120.17,480.94 122.01,480.08 123.85,479.21C119.95,475.7 114.47,475.34 109.63,473.98C110.04,473.81 110.87,473.48 111.28,473.32Z" style="fill:rgb(124,89,71);fill-rule:nonzero;"/>
 55 |     </g>
 56 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 57 |         <path d="M108.91,474.25L109.63,473.98C114.47,475.34 119.95,475.7 123.85,479.21C122.01,480.08 120.17,480.94 118.32,481.79C119.01,483.08 119.7,484.38 120.39,485.68C118.53,485.31 116.67,484.97 114.82,484.56C110.98,482.66 110.86,477.63 108.91,474.25Z" style="fill:rgb(155,105,97);fill-rule:nonzero;"/>
 58 |     </g>
 59 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 60 |         <path d="M114.82,484.56C116.24,485.72 117.63,486.92 119.05,488.08C118.91,490.2 118.91,492.31 118.86,494.44C117.33,491.22 116.06,487.89 114.82,484.56Z" style="fill:rgb(188,131,132);fill-rule:nonzero;"/>
 61 |     </g>
 62 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 63 |         <path d="M199.1,507.63C200.47,508.06 201.84,508.52 203.24,508.89C203.91,513.39 203.08,518.84 206.72,522.29C213.2,528.74 223.97,530.58 232.04,526.07C233.56,525.17 234.49,523.61 235.41,522.18C236.29,520.79 237.17,519.41 238.08,518.05C236.7,524.52 232.75,531.5 225.58,532.51C220.07,532.85 214.16,532.36 209.2,529.77C201.84,524.97 200.8,515.49 199.1,507.63Z" style="fill:rgb(121,57,51);fill-rule:nonzero;"/>
 64 |     </g>
 65 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 66 |         <path d="M203.24,508.89C203.75,508.92 204.76,508.99 205.27,509.02C215.27,512.09 225.9,512.79 236.3,512.09C236.08,515.45 235.82,518.82 235.41,522.18C234.49,523.61 233.56,525.17 232.04,526.07C223.97,530.58 213.2,528.74 206.72,522.29C203.08,518.84 203.91,513.39 203.24,508.89Z" style="fill:rgb(254,254,253);fill-rule:nonzero;"/>
 67 |     </g>
 68 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 69 |         <path d="M343.98,513.28C346.97,512.8 349.83,511.79 352.73,510.93C347.98,517.38 345.06,525.33 338.75,530.52C336.14,529.35 333.32,528.61 330.91,527.07C329.24,525.53 328.16,523.49 326.92,521.63C326.25,521.86 325.6,522.1 324.94,522.35C324.21,521.79 323.48,521.23 322.76,520.67C321.69,520.92 320.63,521.17 319.57,521.44C322.22,518.52 324.78,515.25 328.43,513.54C333.44,511.5 338.81,514.06 343.98,513.28M332.89,516.06C335.88,518.02 338.47,520.69 339.01,524.38C343.09,522.54 345.83,518.91 348.2,515.26C343.1,515.54 338,515.9 332.89,516.06Z" style="fill:rgb(115,70,73);fill-rule:nonzero;"/>
 70 |     </g>
 71 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 72 |         <path d="M332.89,516.06C338,515.9 343.1,515.54 348.2,515.26C345.83,518.91 343.09,522.54 339.01,524.38C338.47,520.69 335.88,518.02 332.89,516.06Z" style="fill:rgb(167,109,107);fill-rule:nonzero;"/>
 73 |     </g>
 74 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 75 |         <path d="M319.57,521.44C320.63,521.17 321.69,520.92 322.76,520.67C323.48,521.23 324.21,521.79 324.94,522.35C325.6,522.1 326.25,521.86 326.92,521.63C328.16,523.49 329.24,525.53 330.91,527.07C333.32,528.61 336.14,529.35 338.75,530.52C335.88,532.58 332.85,535.2 329.06,534.87C325.28,534.53 321.42,533.04 318.77,530.27C316.7,527.56 318.52,524.16 319.57,521.44Z" style="fill:rgb(88,51,49);fill-rule:nonzero;"/>
 76 |     </g>
 77 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 78 |         <path d="M132.59,528.92C138.69,529.07 144.11,532.21 149.71,534.25C157.1,537.32 165.07,538.37 172.81,540.21C180.92,542.13 189.26,542.73 197.41,544.43C206.51,546.34 215.83,546.57 224.99,548.03C237.88,550.11 250.99,550.27 264.01,549.82C274.55,549.45 285.15,550.14 295.62,548.55C304.37,547.26 313.25,546.73 321.89,544.81C327.71,543.59 333.42,539.11 339.49,541.88C335.69,544.01 332,546.4 327.9,547.93C321.68,550.27 315.08,551.35 308.57,552.61C296.18,554.75 283.63,556.74 271,555.92C246.96,555.36 222.99,553.11 199.17,549.85C185.27,547.69 171.23,545.71 157.88,541.1C150.99,538.71 143.96,536.63 137.3,533.64C135.14,532.76 133.87,530.73 132.59,528.92Z" style="fill:rgb(209,203,215);fill-rule:nonzero;"/>
 79 |     </g>
 80 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 81 |         <path d="M132.22,529.29L132.59,528.92C133.87,530.73 135.14,532.76 137.3,533.64C143.96,536.63 150.99,538.71 157.88,541.1C171.23,545.71 185.27,547.69 199.17,549.85C222.99,553.11 246.96,555.36 271,555.92C283.63,556.74 296.18,554.75 308.57,552.61C315.08,551.35 321.68,550.27 327.9,547.93C332,546.4 335.69,544.01 339.49,541.88C340.24,541.47 341,541.07 341.76,540.68C352.79,556.1 363.82,572.34 367.87,591.17C371.41,605.08 372.26,619.5 371.43,633.79C370.54,642.3 370.42,651.12 367.15,659.15C367.18,658.66 367.25,657.68 367.28,657.18C364.04,659.93 360.73,662.63 357,664.7C356.46,664.46 355.92,664.22 355.39,663.98C357.42,658.5 358.73,652.53 357.24,646.74C355.8,638.62 350.07,632.15 343.92,627.06C339.63,623.39 333.78,622.97 328.42,622.41C320.11,621.63 311.35,621.11 303.48,624.38C299.56,625.89 296.25,628.6 293.57,631.79C294.88,620.12 294.73,607.57 289.03,596.98C280.68,581.13 263.6,571.09 246.11,568.91C228.71,566.98 210.17,568.96 194.84,577.93C185.35,583.5 179.49,593.27 175.05,603.02C172.83,607.96 172,613.39 171.72,618.77C171.47,622.52 171.28,626.26 171.14,630.02C166.78,627.34 162.14,625.03 157.09,624.02C146.02,621.65 134,619.76 123.19,624.25C115.87,627.62 108.47,632.52 105.28,640.25C101.86,648.66 105.97,658.23 101.71,666.43C96.35,660.9 94.38,653.17 93.28,645.78C91.68,633.25 92.23,620.58 92.87,608.01C93.26,599.59 96,591.55 98.6,583.61C105.43,563.21 117.23,544.67 132.22,529.29Z" style="fill:rgb(168,165,173);fill-rule:nonzero;"/>
 82 |     </g>
 83 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 84 |         <path d="M194.84,577.93C210.17,568.96 228.71,566.98 246.11,568.91C263.6,571.09 280.68,581.13 289.03,596.98C294.73,607.57 294.88,620.12 293.57,631.79C291.99,638.84 290.18,645.85 288.73,652.92C277.07,652.58 265.55,654.69 253.93,655.21C243.63,655.72 233.31,656.29 223,655.87C210.04,655.57 197.13,654.2 184.19,653.61C181.6,653.4 179.02,653.07 176.44,652.78C174.68,641.47 170.81,630.36 171.72,618.77C172,613.39 172.83,607.96 175.05,603.02C179.49,593.27 185.35,583.5 194.84,577.93Z" style="fill:rgb(250,255,199);fill-rule:nonzero;"/>
 85 |     </g>
 86 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 87 |         <path d="M171.14,630.02C171.28,626.26 171.47,622.52 171.72,618.77C170.81,630.36 174.68,641.47 176.44,652.78C179.02,653.07 181.6,653.4 184.19,653.61C181.81,653.63 179.44,653.78 177.07,653.92C176.51,660.43 177.1,666.96 178.58,673.32C177.78,673.88 176.98,674.46 176.2,675.05C173.26,677.67 169.75,679.55 165.79,679.98C163.96,680.3 162.15,680.7 160.35,681.12C162.88,682.99 165.51,684.71 168.25,686.26C165.8,687.82 162.98,688.75 160.05,688.42C146.19,687.63 132.55,683.9 120.01,677.99C113.52,674.85 106.66,671.85 101.71,666.43C105.97,658.23 101.86,648.66 105.28,640.25C108.47,632.52 115.87,627.62 123.19,624.25C134,619.76 146.02,621.65 157.09,624.02C162.14,625.03 166.78,627.34 171.14,630.02Z" style="fill:rgb(189,183,192);fill-rule:nonzero;"/>
 88 |     </g>
 89 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 90 |         <path d="M303.48,624.38C311.35,621.11 320.11,621.63 328.42,622.41C333.78,622.97 339.63,623.39 343.92,627.06C350.07,632.15 355.8,638.62 357.24,646.74C358.73,652.53 357.42,658.5 355.39,663.98C355.92,664.22 356.46,664.46 357,664.7C360.73,662.63 364.04,659.93 367.28,657.18C367.25,657.68 367.18,658.66 367.15,659.15C365.61,663.36 362.94,667.09 359.69,670.16C354.43,673.55 348.84,676.39 343.33,679.34C330.23,686.23 315.22,688.55 300.55,688.19C299.64,684.94 301.31,682.04 303,679.4C299.24,678.87 295.41,679.29 291.83,680.55C291.49,680.65 290.82,680.86 290.48,680.97C290.12,680.96 289.41,680.95 289.06,680.94C290.05,678.52 289.94,676.1 287.76,674.41C287.16,674.13 286.56,673.86 285.96,673.62C287.49,666.81 288.42,659.89 288.73,652.92C290.18,645.85 291.99,638.84 293.57,631.79C296.25,628.6 299.56,625.89 303.48,624.38Z" style="fill:rgb(187,180,189);fill-rule:nonzero;"/>
 91 |     </g>
 92 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 93 |         <path d="M253.93,655.21C265.55,654.69 277.07,652.58 288.73,652.92C288.42,659.89 287.49,666.81 285.96,673.62C286.56,673.86 287.16,674.13 287.76,674.41C286.61,675.24 285.46,676.08 284.42,677.06C284.37,679.7 287.03,680.32 289.06,680.94C289.41,680.95 290.12,680.96 290.48,680.97C289.82,681.2 288.5,681.66 287.85,681.89C287.39,684.33 286.91,686.76 286.38,689.19C286.24,686.23 286.16,683.27 286.02,680.32C284.6,681.4 283.22,682.53 281.85,683.68C282.39,681 282.92,678.31 283.42,675.63C277.21,675.37 271.21,677.38 265.03,677.55C253.02,678.01 241.01,678.52 229,678.72C215.01,678.58 201.07,677.16 187.17,675.76C183.53,675.27 179.87,674.98 176.2,675.05C176.98,674.46 177.78,673.88 178.58,673.32C177.1,666.96 176.51,660.43 177.07,653.92C179.44,653.78 181.81,653.63 184.19,653.61C197.13,654.2 210.04,655.57 223,655.87C233.31,656.29 243.63,655.72 253.93,655.21Z" style="fill:rgb(171,169,173);fill-rule:nonzero;"/>
 94 |     </g>
 95 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 96 |         <path d="M165.79,679.98C169.75,679.55 173.26,677.67 176.2,675.05C179.87,674.98 183.53,675.27 187.17,675.76C186.05,675.91 184.95,676.09 183.84,676.29C182.89,679.08 181.75,681.91 179.61,684.03C175.8,680.7 170.79,679.29 165.79,679.98Z" style="fill:rgb(138,95,112);fill-rule:nonzero;"/>
 97 |     </g>
 98 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
 99 |         <path d="M284.42,677.06C285.46,676.08 286.61,675.24 287.76,674.41C289.94,676.1 290.05,678.52 289.06,680.94C287.03,680.32 284.37,679.7 284.42,677.06Z" style="fill:rgb(109,57,62);fill-rule:nonzero;"/>
100 |     </g>
101 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
102 |         <path d="M291.83,680.55C295.41,679.29 299.24,678.87 303,679.4C301.31,682.04 299.64,684.94 300.55,688.19C297.76,688.22 294.93,688.38 292.2,687.74C290.43,685.63 291.07,682.9 291.83,680.55Z" style="fill:rgb(145,68,68);fill-rule:nonzero;"/>
103 |     </g>
104 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
105 |         <path d="M160.35,681.12C162.15,680.7 163.96,680.3 165.79,679.98C170.79,679.29 175.8,680.7 179.61,684.03C179.28,684.23 178.62,684.65 178.29,684.86C176.81,684.5 175.35,684.08 173.9,683.68C173.52,684.89 173.16,686.12 172.79,687.35C171.7,686.79 170.66,686.15 169.62,685.54C169.27,685.72 168.59,686.08 168.25,686.26C165.51,684.71 162.88,682.99 160.35,681.12Z" style="fill:rgb(107,78,68);fill-rule:nonzero;"/>
106 |     </g>
107 |     <g transform="matrix(1,0,0,1,657.79,-189.902)">
108 |         <path d="M172.79,687.35C173.16,686.12 173.52,684.89 173.9,683.68C175.35,684.08 176.81,684.5 178.29,684.86C178.16,685.56 177.9,686.95 177.77,687.64C176.11,687.57 174.44,687.52 172.79,687.35Z" style="fill:rgb(134,110,121);fill-rule:nonzero;"/>
109 |     </g>
110 |     <g transform="matrix(1,0,0,1,-35.5143,-25.9563)">
111 |         <g transform="matrix(106.667,0,0,106.667,89.1766,246.057)">
112 |             <path d="M0.635,-0.531L0.627,-0.504C0.624,-0.493 0.621,-0.485 0.617,-0.482C0.613,-0.478 0.605,-0.475 0.593,-0.472C0.587,-0.47 0.583,-0.469 0.581,-0.468L0.592,-0.459C0.59,-0.451 0.584,-0.442 0.576,-0.434C0.568,-0.433 0.562,-0.432 0.558,-0.431C0.555,-0.429 0.55,-0.425 0.546,-0.42L0.554,-0.416L0.535,-0.401L0.51,-0.39L0.499,-0.382L0.47,-0.375C0.468,-0.375 0.459,-0.37 0.444,-0.361L0.427,-0.351L0.42,-0.353L0.398,-0.345L0.357,-0.335L0.331,-0.326L0.307,-0.328L0.293,-0.321L0.279,-0.322L0.269,-0.318L0.256,-0.32C0.246,-0.32 0.237,-0.318 0.227,-0.314L0.186,-0.297L0.176,-0.293L0.174,-0.284L0.178,-0.228L0.174,-0.218L0.181,-0.169L0.181,-0.159C0.171,-0.158 0.166,-0.154 0.166,-0.148L0.166,-0.146L0.178,-0.119L0.182,-0.056L0.184,-0.032C0.184,-0.024 0.181,-0.018 0.174,-0.016L0.158,-0.011L0.143,0.003L0.131,0.004L0.108,0.016C0.105,0.017 0.104,0.018 0.103,0.018C0.096,0.018 0.092,0.014 0.092,0.005C0.092,0.002 0.092,-0.001 0.093,-0.002L0.103,-0.02L0.1,-0.049L0.11,-0.128L0.103,-0.164L0.112,-0.214L0.11,-0.232L0.118,-0.262L0.118,-0.277L0.111,-0.277L0.11,-0.287L0.112,-0.296L0.118,-0.31L0.117,-0.318L0.118,-0.33L0.111,-0.34L0.108,-0.395L0.11,-0.408L0.111,-0.43L0.115,-0.445L0.108,-0.463L0.11,-0.497L0.109,-0.505L0.117,-0.51L0.115,-0.537L0.103,-0.537C0.101,-0.547 0.1,-0.555 0.1,-0.56C0.1,-0.566 0.101,-0.576 0.103,-0.591C0.103,-0.591 0.104,-0.591 0.104,-0.591C0.104,-0.592 0.104,-0.592 0.104,-0.592C0.104,-0.594 0.104,-0.595 0.103,-0.596C0.102,-0.598 0.1,-0.598 0.099,-0.598L0.084,-0.603L0.076,-0.61L0.067,-0.611L0.068,-0.629L0.076,-0.632L0.115,-0.647L0.141,-0.657L0.239,-0.652L0.26,-0.656C0.265,-0.657 0.274,-0.658 0.286,-0.658L0.304,-0.658L0.336,-0.655L0.358,-0.654L0.366,-0.655L0.384,-0.656L0.387,-0.655L0.395,-0.646L0.439,-0.646L0.464,-0.636L0.476,-0.642L0.507,-0.636L0.516,-0.627C0.522,-0.621 0.527,-0.617 0.531,-0.616L0.568,-0.614L0.601,-0.595L0.619,-0.585C0.617,-0.581 0.616,-0.579 0.616,-0.578C0.616,-0.574 0.62,-0.569 0.627,-0.564L0.628,-0.551L0.635,-0.531ZM0.562,-0.521L0.554,-0.536L0.551,-0.548L0.516,-0.583C0.512,-0.589 0.508,-0.593 0.507,-0.594C0.505,-0.596 0.502,-0.597 0.498,-0.599L0.492,-0.594C0.448,-0.612 0.412,-0.621 0.385,-0.621L0.338,-0.621L0.297,-0.628L0.269,-0.618L0.206,-0.62C0.197,-0.618 0.19,-0.615 0.185,-0.61C0.181,-0.604 0.178,-0.597 0.178,-0.589L0.177,-0.552L0.176,-0.542L0.167,-0.536C0.172,-0.533 0.176,-0.529 0.178,-0.526C0.181,-0.522 0.182,-0.518 0.182,-0.514C0.182,-0.512 0.181,-0.509 0.18,-0.507L0.174,-0.484L0.18,-0.464L0.18,-0.439L0.185,-0.381L0.183,-0.373L0.178,-0.373C0.171,-0.373 0.168,-0.37 0.168,-0.363C0.168,-0.358 0.17,-0.355 0.173,-0.354L0.188,-0.355L0.232,-0.355L0.244,-0.357L0.252,-0.346L0.266,-0.349L0.302,-0.359L0.369,-0.366L0.408,-0.378L0.442,-0.389C0.456,-0.393 0.464,-0.398 0.467,-0.402L0.477,-0.416L0.496,-0.429L0.498,-0.437L0.511,-0.445L0.516,-0.452L0.55,-0.484L0.556,-0.504L0.562,-0.521Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
113 |         </g>
114 |         <g transform="matrix(106.667,0,0,106.667,152.979,246.057)">
115 |             <path d="M0.406,-0.409C0.406,-0.408 0.405,-0.406 0.404,-0.405L0.376,-0.383L0.361,-0.367L0.352,-0.364L0.339,-0.372L0.33,-0.381L0.301,-0.382L0.273,-0.393L0.262,-0.396C0.258,-0.389 0.254,-0.384 0.249,-0.383C0.244,-0.381 0.235,-0.38 0.221,-0.38L0.205,-0.373L0.193,-0.377L0.183,-0.369L0.144,-0.339C0.138,-0.33 0.134,-0.315 0.133,-0.292L0.132,-0.255L0.121,-0.248C0.128,-0.237 0.131,-0.226 0.131,-0.216L0.138,-0.216L0.139,-0.202L0.141,-0.139L0.142,-0.106L0.14,-0.076C0.13,-0.07 0.125,-0.066 0.125,-0.062C0.125,-0.061 0.126,-0.058 0.129,-0.053L0.142,-0.056L0.141,-0.052L0.145,-0.032L0.145,-0.03C0.145,-0.025 0.142,-0.02 0.137,-0.015C0.132,-0.009 0.127,-0.007 0.121,-0.006L0.102,-0.004L0.073,0.011L0.061,0.004L0.063,-0.006L0.07,-0.034L0.067,-0.072L0.07,-0.077L0.08,-0.077L0.08,-0.083L0.079,-0.092L0.073,-0.106L0.072,-0.126L0.068,-0.143L0.068,-0.157L0.069,-0.173C0.07,-0.174 0.072,-0.176 0.073,-0.178C0.074,-0.18 0.076,-0.182 0.079,-0.186C0.081,-0.19 0.084,-0.194 0.087,-0.199L0.092,-0.211L0.091,-0.216C0.076,-0.216 0.068,-0.219 0.068,-0.226L0.07,-0.263L0.067,-0.3C0.068,-0.303 0.07,-0.306 0.073,-0.309L0.073,-0.323L0.067,-0.329L0.065,-0.341L0.064,-0.367L0.053,-0.388C0.056,-0.4 0.061,-0.41 0.069,-0.418L0.099,-0.434L0.117,-0.446C0.126,-0.443 0.133,-0.44 0.136,-0.437C0.139,-0.433 0.141,-0.427 0.141,-0.419L0.141,-0.403C0.141,-0.391 0.144,-0.385 0.149,-0.385L0.151,-0.385L0.176,-0.398L0.2,-0.407L0.242,-0.43L0.256,-0.436L0.267,-0.433L0.289,-0.44C0.302,-0.444 0.311,-0.446 0.318,-0.446L0.339,-0.444C0.345,-0.435 0.351,-0.43 0.355,-0.43C0.356,-0.431 0.356,-0.431 0.356,-0.431C0.357,-0.431 0.357,-0.431 0.358,-0.431L0.369,-0.437C0.372,-0.438 0.374,-0.439 0.375,-0.439C0.383,-0.439 0.391,-0.435 0.398,-0.426C0.403,-0.42 0.406,-0.414 0.406,-0.409Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
116 |         </g>
117 |         <g transform="matrix(106.667,0,0,106.667,191,246.057)">
118 |             <path d="M0.572,-0.248L0.561,-0.25L0.563,-0.239L0.552,-0.231C0.553,-0.225 0.555,-0.222 0.556,-0.22C0.557,-0.219 0.56,-0.217 0.565,-0.214L0.566,-0.204C0.566,-0.169 0.552,-0.13 0.525,-0.089C0.519,-0.08 0.511,-0.07 0.502,-0.06C0.493,-0.05 0.487,-0.043 0.485,-0.04L0.47,-0.036L0.378,0.007L0.327,0.009L0.29,0.018L0.246,0.017L0.231,0.021L0.187,0.013L0.169,0.012L0.159,0.001L0.132,-0.003L0.119,-0.01C0.108,-0.018 0.099,-0.025 0.091,-0.031C0.084,-0.037 0.079,-0.04 0.077,-0.042C0.075,-0.044 0.073,-0.046 0.072,-0.048L0.061,-0.069L0.046,-0.081L0.034,-0.112L0.03,-0.124L0.035,-0.128C0.035,-0.132 0.036,-0.136 0.037,-0.137C0.038,-0.139 0.041,-0.14 0.046,-0.142L0.043,-0.15L0.027,-0.16L0.027,-0.18C0.027,-0.194 0.028,-0.208 0.032,-0.222C0.035,-0.235 0.041,-0.251 0.049,-0.269C0.062,-0.298 0.071,-0.314 0.077,-0.318L0.097,-0.331L0.108,-0.35C0.112,-0.357 0.117,-0.361 0.122,-0.364L0.168,-0.388L0.194,-0.409L0.225,-0.421L0.28,-0.44L0.325,-0.444L0.361,-0.445C0.381,-0.445 0.391,-0.439 0.391,-0.428C0.397,-0.423 0.4,-0.421 0.402,-0.421C0.407,-0.421 0.412,-0.426 0.418,-0.435L0.43,-0.432L0.462,-0.421L0.475,-0.41L0.493,-0.399L0.511,-0.371C0.516,-0.365 0.526,-0.362 0.54,-0.362C0.549,-0.35 0.556,-0.339 0.559,-0.327C0.562,-0.316 0.566,-0.295 0.57,-0.264L0.572,-0.248ZM0.501,-0.236L0.483,-0.292L0.48,-0.317L0.475,-0.326L0.472,-0.326C0.47,-0.326 0.467,-0.327 0.466,-0.328C0.464,-0.329 0.462,-0.33 0.46,-0.333L0.436,-0.363L0.428,-0.375L0.387,-0.394C0.383,-0.401 0.38,-0.405 0.377,-0.408C0.374,-0.412 0.371,-0.413 0.367,-0.413C0.363,-0.413 0.356,-0.411 0.347,-0.408C0.338,-0.412 0.331,-0.414 0.327,-0.414L0.313,-0.412L0.289,-0.411L0.256,-0.399L0.248,-0.406L0.242,-0.398L0.209,-0.378L0.148,-0.325L0.136,-0.315C0.134,-0.298 0.126,-0.279 0.114,-0.258L0.107,-0.246L0.107,-0.242C0.107,-0.235 0.106,-0.23 0.104,-0.228C0.101,-0.226 0.097,-0.224 0.09,-0.223C0.089,-0.218 0.088,-0.215 0.088,-0.216C0.088,-0.215 0.088,-0.215 0.089,-0.214C0.089,-0.214 0.089,-0.213 0.089,-0.213L0.104,-0.196L0.106,-0.185C0.096,-0.177 0.091,-0.171 0.091,-0.168C0.091,-0.168 0.091,-0.166 0.093,-0.162C0.096,-0.165 0.098,-0.167 0.101,-0.167C0.104,-0.167 0.106,-0.166 0.107,-0.164L0.118,-0.128L0.143,-0.087L0.14,-0.062C0.143,-0.059 0.146,-0.058 0.149,-0.058C0.153,-0.058 0.157,-0.06 0.161,-0.064L0.171,-0.061L0.23,-0.025L0.29,-0.019L0.324,-0.014L0.363,-0.021L0.388,-0.027L0.42,-0.059L0.443,-0.066L0.454,-0.078L0.48,-0.132L0.493,-0.143C0.498,-0.148 0.5,-0.152 0.5,-0.155L0.5,-0.157L0.492,-0.18L0.501,-0.236Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
119 |         </g>
120 |         <g transform="matrix(106.667,0,0,106.667,254.802,246.057)">
121 |             <path d="M0.157,-0.682L0.156,-0.678C0.154,-0.676 0.153,-0.675 0.154,-0.675L0.088,-0.63L0.057,-0.606L0.049,-0.601L0.039,-0.616C0.052,-0.634 0.065,-0.648 0.079,-0.658L0.082,-0.668L0.118,-0.709C0.121,-0.713 0.126,-0.715 0.131,-0.715L0.138,-0.715L0.142,-0.705L0.151,-0.695C0.155,-0.689 0.157,-0.685 0.157,-0.682ZM0.154,0.146L0.15,0.206C0.149,0.226 0.147,0.243 0.143,0.255L0.129,0.259L0.128,0.264L0.136,0.29L0.124,0.348L0.122,0.355C0.122,0.36 0.118,0.372 0.109,0.391L0.099,0.415L0.093,0.428L0.084,0.43L0.079,0.441L0.067,0.458L0.042,0.497L0.006,0.534L-0.002,0.546L-0.031,0.559L-0.038,0.568C-0.043,0.574 -0.047,0.577 -0.052,0.579L-0.058,0.577C-0.061,0.577 -0.074,0.581 -0.096,0.588L-0.123,0.588L-0.157,0.599C-0.174,0.602 -0.187,0.603 -0.197,0.603C-0.208,0.603 -0.222,0.595 -0.238,0.579C-0.251,0.567 -0.258,0.557 -0.258,0.55C-0.258,0.547 -0.256,0.544 -0.252,0.542C-0.249,0.539 -0.245,0.538 -0.241,0.538L-0.234,0.539L-0.173,0.56L-0.146,0.56L-0.134,0.569L-0.122,0.572L-0.11,0.562L-0.077,0.559L-0.062,0.549L-0.025,0.532L-0.007,0.514C0.011,0.495 0.022,0.482 0.026,0.473L0.054,0.408L0.07,0.388L0.066,0.363L0.076,0.298L0.076,0.257L0.091,0.231L0.092,0.219C0.083,0.216 0.079,0.21 0.079,0.2L0.079,0.192L0.083,0.148L0.082,0.106L0.086,0.079L0.095,0.076C0.095,0.076 0.097,0.077 0.101,0.078L0.105,0.063L0.099,0.057C0.095,0.058 0.093,0.059 0.092,0.059C0.09,0.059 0.086,0.058 0.081,0.055L0.08,-0.024L0.097,-0.024L0.1,-0.034C0.1,-0.042 0.098,-0.049 0.093,-0.056C0.088,-0.062 0.083,-0.067 0.076,-0.069L0.078,-0.152L0.087,-0.151C0.091,-0.151 0.094,-0.152 0.095,-0.154C0.096,-0.156 0.096,-0.162 0.096,-0.172L0.092,-0.177C0.079,-0.177 0.073,-0.179 0.073,-0.184L0.076,-0.206L0.078,-0.217L0.083,-0.217C0.086,-0.226 0.087,-0.234 0.087,-0.241C0.087,-0.258 0.085,-0.269 0.081,-0.274L0.07,-0.29L0.066,-0.365L0.051,-0.382L0.062,-0.401L0.075,-0.406L0.129,-0.441C0.132,-0.443 0.135,-0.444 0.138,-0.444C0.145,-0.444 0.149,-0.438 0.15,-0.426L0.147,-0.411L0.15,-0.388L0.147,-0.336L0.148,-0.326L0.136,-0.304L0.137,-0.288L0.133,-0.271C0.146,-0.268 0.152,-0.263 0.152,-0.256L0.146,-0.22L0.149,-0.141L0.145,-0.112L0.148,-0.089L0.146,-0.055L0.151,-0.021L0.153,-0.007L0.153,0.012L0.152,0.037L0.152,0.053L0.153,0.071L0.153,0.077L0.147,0.092L0.145,0.105L0.146,0.115L0.154,0.146Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
122 |         </g>
123 |         <g transform="matrix(106.667,0,0,106.667,276.989,246.057)">
124 |             <path d="M0.511,-0.1C0.511,-0.096 0.51,-0.092 0.509,-0.089L0.499,-0.072L0.476,-0.032L0.455,-0.031L0.442,-0.02C0.439,-0.017 0.434,-0.015 0.427,-0.014L0.339,0.003L0.325,0.008L0.294,0.005L0.249,0.009L0.198,0.006L0.184,0.006C0.177,0 0.173,-0.003 0.171,-0.004L0.123,-0.021L0.107,-0.036L0.075,-0.058L0.05,-0.092L0.04,-0.1C0.044,-0.108 0.046,-0.115 0.046,-0.121C0.046,-0.124 0.045,-0.126 0.044,-0.127L0.031,-0.148L0.028,-0.176L0.027,-0.198C0.027,-0.206 0.029,-0.216 0.032,-0.228C0.038,-0.248 0.042,-0.259 0.046,-0.263L0.064,-0.286L0.073,-0.307L0.096,-0.329L0.121,-0.362L0.143,-0.374L0.175,-0.396L0.203,-0.415L0.218,-0.418L0.262,-0.432L0.297,-0.436L0.318,-0.445L0.328,-0.446C0.345,-0.446 0.359,-0.437 0.37,-0.419C0.376,-0.42 0.381,-0.423 0.384,-0.429L0.397,-0.418L0.415,-0.408L0.456,-0.368C0.461,-0.362 0.465,-0.356 0.468,-0.351C0.471,-0.347 0.474,-0.342 0.476,-0.336C0.479,-0.331 0.482,-0.326 0.484,-0.319C0.486,-0.313 0.489,-0.304 0.493,-0.291L0.497,-0.279L0.492,-0.277L0.473,-0.281L0.452,-0.274L0.436,-0.277L0.418,-0.272L0.384,-0.276L0.351,-0.274L0.317,-0.28L0.261,-0.279L0.234,-0.28L0.168,-0.271L0.144,-0.272L0.111,-0.262L0.099,-0.26L0.097,-0.248C0.097,-0.24 0.095,-0.234 0.094,-0.231C0.092,-0.229 0.089,-0.225 0.083,-0.221L0.084,-0.212C0.095,-0.204 0.1,-0.199 0.101,-0.197L0.114,-0.147L0.12,-0.135C0.117,-0.132 0.115,-0.129 0.115,-0.126L0.116,-0.124L0.135,-0.118L0.139,-0.106C0.142,-0.095 0.147,-0.088 0.152,-0.085L0.178,-0.074L0.187,-0.055C0.192,-0.053 0.199,-0.051 0.209,-0.05L0.216,-0.037L0.231,-0.035L0.273,-0.02L0.308,-0.027L0.401,-0.042L0.452,-0.073L0.478,-0.107C0.483,-0.112 0.488,-0.115 0.494,-0.115C0.506,-0.115 0.511,-0.11 0.511,-0.1ZM0.396,-0.33C0.396,-0.335 0.39,-0.346 0.378,-0.363L0.344,-0.387L0.333,-0.399L0.317,-0.4L0.28,-0.403L0.271,-0.401L0.25,-0.389L0.223,-0.383L0.176,-0.365L0.16,-0.342C0.15,-0.335 0.145,-0.331 0.144,-0.329L0.142,-0.323L0.202,-0.319L0.209,-0.32L0.22,-0.323L0.231,-0.321L0.26,-0.315L0.261,-0.315L0.294,-0.321L0.304,-0.323L0.312,-0.312L0.323,-0.312L0.366,-0.321L0.384,-0.319C0.392,-0.32 0.396,-0.324 0.396,-0.33Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
125 |         </g>
126 |         <g transform="matrix(106.667,0,0,106.667,333.604,246.057)">
127 |             <path d="M0.485,-0.093C0.485,-0.091 0.485,-0.089 0.484,-0.088L0.478,-0.063C0.478,-0.063 0.478,-0.062 0.478,-0.062C0.478,-0.061 0.479,-0.06 0.479,-0.059L0.458,-0.033L0.446,-0.03L0.427,-0.017L0.419,-0.015L0.397,-0.004L0.364,-0.005C0.358,-0.005 0.351,-0.003 0.341,0.002L0.316,0.016L0.277,0.019L0.238,0.016L0.229,0.009L0.2,0.005L0.168,-0.004L0.123,-0.014L0.102,-0.032L0.083,-0.052L0.089,-0.069C0.083,-0.066 0.077,-0.065 0.072,-0.065L0.068,-0.065L0.059,-0.075L0.047,-0.096L0.04,-0.105L0.037,-0.133L0.041,-0.147L0.037,-0.155L0.027,-0.166L0.033,-0.191L0.031,-0.236L0.048,-0.265L0.069,-0.308L0.096,-0.331L0.145,-0.378L0.178,-0.402L0.187,-0.405L0.207,-0.42L0.27,-0.44L0.285,-0.444C0.286,-0.444 0.286,-0.444 0.287,-0.444C0.287,-0.443 0.288,-0.443 0.288,-0.443L0.313,-0.432L0.338,-0.439L0.385,-0.431L0.425,-0.437C0.43,-0.436 0.435,-0.434 0.441,-0.431C0.438,-0.421 0.435,-0.414 0.432,-0.41C0.429,-0.407 0.423,-0.403 0.413,-0.399L0.412,-0.388L0.392,-0.376L0.378,-0.369L0.376,-0.369L0.363,-0.371L0.346,-0.369L0.271,-0.381C0.268,-0.382 0.265,-0.382 0.26,-0.382C0.255,-0.382 0.252,-0.382 0.25,-0.381L0.209,-0.373L0.196,-0.373C0.185,-0.371 0.174,-0.362 0.163,-0.347L0.142,-0.34L0.133,-0.32L0.116,-0.317C0.118,-0.314 0.118,-0.312 0.118,-0.31L0.098,-0.271L0.096,-0.254L0.097,-0.224C0.097,-0.21 0.099,-0.198 0.101,-0.188C0.103,-0.179 0.106,-0.17 0.111,-0.16L0.107,-0.149C0.104,-0.143 0.102,-0.14 0.102,-0.138C0.102,-0.136 0.103,-0.134 0.105,-0.131C0.115,-0.128 0.119,-0.127 0.119,-0.127C0.122,-0.125 0.127,-0.119 0.134,-0.109L0.147,-0.091L0.152,-0.08L0.163,-0.08L0.169,-0.072L0.201,-0.049L0.215,-0.037L0.231,-0.032L0.245,-0.027L0.267,-0.026L0.323,-0.02L0.325,-0.019C0.331,-0.019 0.342,-0.024 0.36,-0.033L0.369,-0.03L0.403,-0.053C0.412,-0.055 0.42,-0.058 0.429,-0.064C0.437,-0.07 0.449,-0.08 0.463,-0.095C0.467,-0.1 0.471,-0.103 0.475,-0.103C0.478,-0.103 0.48,-0.102 0.482,-0.1C0.484,-0.098 0.485,-0.096 0.485,-0.093Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
128 |         </g>
129 |         <g transform="matrix(106.667,0,0,106.667,386.729,246.057)">
130 |             <path d="M0.373,-0.426L0.368,-0.412L0.367,-0.402L0.332,-0.376L0.311,-0.357L0.299,-0.355L0.281,-0.357C0.269,-0.358 0.258,-0.36 0.248,-0.363C0.238,-0.365 0.233,-0.366 0.234,-0.366L0.233,-0.366L0.2,-0.364L0.181,-0.367C0.177,-0.367 0.173,-0.365 0.17,-0.362C0.167,-0.359 0.165,-0.356 0.165,-0.353C0.165,-0.349 0.167,-0.347 0.171,-0.346L0.17,-0.283C0.156,-0.279 0.149,-0.273 0.149,-0.265L0.15,-0.254L0.17,-0.25L0.172,-0.203L0.173,-0.193L0.168,-0.178C0.164,-0.18 0.161,-0.181 0.158,-0.181C0.15,-0.181 0.146,-0.177 0.146,-0.17C0.146,-0.167 0.149,-0.162 0.154,-0.155C0.158,-0.16 0.161,-0.163 0.163,-0.163C0.164,-0.163 0.167,-0.161 0.173,-0.156L0.174,-0.09L0.176,-0.08L0.187,-0.057C0.188,-0.055 0.188,-0.049 0.188,-0.04C0.196,-0.035 0.202,-0.032 0.207,-0.031C0.211,-0.029 0.217,-0.029 0.225,-0.029C0.236,-0.029 0.246,-0.031 0.256,-0.034C0.266,-0.038 0.275,-0.042 0.281,-0.048L0.329,-0.092C0.331,-0.094 0.334,-0.095 0.337,-0.095C0.341,-0.095 0.347,-0.093 0.354,-0.089L0.351,-0.078C0.344,-0.051 0.339,-0.037 0.334,-0.035L0.219,0.007L0.199,0.017L0.184,0.008L0.174,0.006L0.169,0.019L0.16,0.02C0.15,0.02 0.139,0.015 0.126,0.006C0.112,-0.005 0.105,-0.014 0.104,-0.019L0.101,-0.033L0.095,-0.05L0.096,-0.077L0.096,-0.108L0.106,-0.14L0.103,-0.152L0.101,-0.169L0.101,-0.18L0.103,-0.227L0.102,-0.24L0.1,-0.257C0.1,-0.258 0.1,-0.259 0.101,-0.259L0.114,-0.274C0.115,-0.276 0.116,-0.278 0.116,-0.28C0.116,-0.287 0.111,-0.291 0.099,-0.291L0.095,-0.297C0.098,-0.321 0.1,-0.344 0.1,-0.368C0.084,-0.371 0.073,-0.373 0.065,-0.373C0.045,-0.373 0.024,-0.37 0.004,-0.363C0.001,-0.365 0,-0.368 0,-0.37C0,-0.376 0.001,-0.379 0.004,-0.381L0.023,-0.397L0.026,-0.408C0.027,-0.411 0.028,-0.413 0.031,-0.415C0.033,-0.416 0.035,-0.417 0.036,-0.417L0.093,-0.419L0.106,-0.421L0.105,-0.432L0.102,-0.536L0.09,-0.564L0.087,-0.579C0.097,-0.593 0.106,-0.603 0.116,-0.608C0.126,-0.614 0.139,-0.618 0.154,-0.621C0.16,-0.631 0.166,-0.636 0.171,-0.636C0.18,-0.636 0.184,-0.621 0.184,-0.592C0.184,-0.547 0.18,-0.515 0.172,-0.496C0.167,-0.483 0.163,-0.476 0.158,-0.476L0.158,-0.453C0.163,-0.453 0.166,-0.453 0.168,-0.452C0.17,-0.451 0.172,-0.449 0.174,-0.446L0.171,-0.432L0.173,-0.421L0.183,-0.42L0.232,-0.409C0.236,-0.408 0.241,-0.407 0.248,-0.407C0.255,-0.407 0.26,-0.408 0.263,-0.409L0.282,-0.415L0.319,-0.419L0.347,-0.429L0.372,-0.429C0.373,-0.427 0.373,-0.425 0.373,-0.426Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
131 |         </g>
132 |         <g transform="matrix(106.667,0,0,106.667,119.359,368.723)">
133 |             <path d="M0.715,-0.026L0.706,-0.013C0.705,-0.013 0.704,-0.013 0.703,-0.013C0.702,-0.013 0.702,-0.013 0.701,-0.012C0.695,-0.012 0.689,-0.01 0.684,-0.007C0.677,-0.002 0.657,0.006 0.624,0.017L0.615,0.019L0.61,0.025L0.601,0.02L0.587,-0L0.57,-0.01L0.562,-0.017L0.554,-0.015L0.546,-0.023L0.466,-0.077L0.437,-0.11L0.409,-0.125C0.388,-0.137 0.376,-0.15 0.371,-0.166L0.362,-0.164L0.346,-0.175L0.311,-0.198C0.304,-0.203 0.301,-0.206 0.301,-0.208L0.3,-0.224L0.295,-0.235C0.287,-0.226 0.279,-0.221 0.273,-0.221L0.269,-0.221L0.241,-0.238L0.221,-0.248L0.182,-0.279L0.169,-0.285L0.164,-0.266L0.166,-0.153L0.165,-0.132L0.161,-0.134L0.157,-0.126L0.158,-0.115L0.16,-0.096L0.169,-0.083C0.17,-0.082 0.17,-0.082 0.17,-0.081L0.169,-0.047L0.169,-0.041L0.164,-0.037L0.169,-0.021L0.169,-0.018L0.145,-0.007L0.126,0.006L0.121,0.002L0.098,0.011L0.09,0.012L0.076,0.017L0.069,0.004L0.074,-0.008C0.078,-0.019 0.081,-0.026 0.083,-0.031C0.085,-0.035 0.086,-0.038 0.087,-0.041C0.088,-0.044 0.089,-0.046 0.089,-0.047L0.094,-0.091L0.097,-0.105C0.104,-0.107 0.109,-0.109 0.112,-0.112C0.115,-0.115 0.116,-0.12 0.116,-0.127L0.115,-0.144L0.101,-0.142L0.097,-0.162C0.097,-0.169 0.1,-0.175 0.107,-0.18L0.107,-0.191C0.102,-0.197 0.1,-0.204 0.1,-0.211L0.1,-0.22L0.101,-0.258L0.1,-0.299L0.114,-0.306L0.117,-0.311L0.111,-0.339L0.117,-0.347L0.107,-0.352C0.106,-0.355 0.105,-0.358 0.104,-0.361C0.104,-0.363 0.104,-0.371 0.104,-0.384L0.103,-0.395C0.11,-0.399 0.115,-0.402 0.116,-0.405C0.118,-0.408 0.119,-0.413 0.119,-0.42L0.102,-0.428L0.1,-0.441L0.098,-0.473L0.095,-0.49L0.097,-0.51L0.086,-0.521L0.087,-0.527L0.083,-0.565L0.082,-0.597L0.067,-0.615L0.068,-0.621L0.136,-0.654C0.144,-0.658 0.15,-0.66 0.156,-0.66C0.165,-0.66 0.169,-0.654 0.169,-0.643L0.169,-0.634C0.165,-0.631 0.162,-0.628 0.161,-0.626C0.159,-0.625 0.158,-0.622 0.157,-0.618C0.168,-0.609 0.173,-0.597 0.173,-0.582L0.172,-0.569C0.157,-0.564 0.15,-0.557 0.15,-0.547C0.15,-0.538 0.158,-0.534 0.173,-0.534L0.171,-0.442C0.159,-0.438 0.153,-0.434 0.153,-0.43C0.153,-0.429 0.153,-0.428 0.154,-0.427L0.169,-0.398L0.166,-0.386L0.167,-0.35L0.164,-0.339L0.154,-0.329L0.163,-0.326L0.172,-0.329L0.187,-0.336L0.216,-0.359C0.228,-0.366 0.236,-0.37 0.239,-0.371C0.25,-0.374 0.257,-0.377 0.26,-0.378C0.262,-0.379 0.264,-0.381 0.266,-0.384C0.267,-0.387 0.269,-0.39 0.27,-0.394L0.282,-0.399L0.318,-0.421L0.334,-0.433L0.343,-0.444L0.365,-0.46L0.415,-0.51L0.432,-0.518C0.433,-0.525 0.437,-0.532 0.444,-0.541L0.45,-0.549L0.461,-0.548C0.464,-0.548 0.468,-0.55 0.472,-0.554L0.469,-0.559L0.472,-0.563L0.467,-0.573L0.482,-0.594L0.494,-0.609L0.537,-0.63L0.568,-0.648C0.569,-0.648 0.57,-0.649 0.57,-0.649C0.571,-0.649 0.571,-0.649 0.572,-0.649C0.575,-0.649 0.578,-0.648 0.58,-0.646C0.582,-0.644 0.583,-0.641 0.583,-0.638C0.583,-0.63 0.577,-0.62 0.564,-0.608C0.551,-0.596 0.542,-0.587 0.536,-0.581C0.53,-0.576 0.526,-0.571 0.523,-0.569C0.511,-0.553 0.502,-0.543 0.498,-0.539C0.494,-0.536 0.488,-0.534 0.479,-0.532L0.474,-0.523C0.463,-0.503 0.453,-0.491 0.445,-0.487L0.432,-0.481L0.382,-0.433L0.347,-0.412L0.304,-0.381L0.284,-0.361L0.27,-0.346L0.261,-0.339C0.261,-0.335 0.262,-0.332 0.263,-0.33C0.264,-0.328 0.266,-0.327 0.269,-0.326C0.274,-0.319 0.28,-0.313 0.287,-0.308C0.323,-0.287 0.344,-0.272 0.352,-0.263C0.353,-0.263 0.354,-0.262 0.354,-0.261C0.355,-0.26 0.356,-0.259 0.356,-0.259L0.364,-0.234L0.38,-0.234C0.381,-0.234 0.382,-0.234 0.384,-0.233C0.385,-0.232 0.387,-0.232 0.388,-0.231L0.432,-0.198L0.455,-0.185L0.474,-0.168C0.481,-0.163 0.486,-0.159 0.489,-0.157C0.491,-0.155 0.493,-0.151 0.496,-0.145L0.511,-0.144L0.55,-0.108L0.55,-0.088L0.578,-0.087L0.585,-0.078L0.594,-0.073C0.592,-0.068 0.591,-0.064 0.591,-0.06C0.591,-0.055 0.593,-0.05 0.598,-0.045C0.602,-0.04 0.605,-0.038 0.609,-0.038C0.612,-0.038 0.615,-0.039 0.619,-0.041L0.621,-0.049L0.629,-0.051C0.632,-0.051 0.639,-0.048 0.648,-0.042L0.649,-0.032L0.655,-0.03L0.692,-0.038L0.694,-0.038C0.7,-0.038 0.707,-0.034 0.715,-0.026Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
134 |         </g>
135 |         <g transform="matrix(106.667,0,0,106.667,193.473,368.723)">
136 |             <path d="M0.572,-0.248L0.561,-0.25L0.563,-0.239L0.552,-0.231C0.553,-0.225 0.555,-0.222 0.556,-0.22C0.557,-0.219 0.56,-0.217 0.565,-0.214L0.566,-0.204C0.566,-0.169 0.552,-0.13 0.525,-0.089C0.519,-0.08 0.511,-0.07 0.502,-0.06C0.493,-0.05 0.487,-0.043 0.485,-0.04L0.47,-0.036L0.378,0.007L0.327,0.009L0.29,0.018L0.246,0.017L0.231,0.021L0.187,0.013L0.169,0.012L0.159,0.001L0.132,-0.003L0.119,-0.01C0.108,-0.018 0.099,-0.025 0.091,-0.031C0.084,-0.037 0.079,-0.04 0.077,-0.042C0.075,-0.044 0.073,-0.046 0.072,-0.048L0.061,-0.069L0.046,-0.081L0.034,-0.112L0.03,-0.124L0.035,-0.128C0.035,-0.132 0.036,-0.136 0.037,-0.137C0.038,-0.139 0.041,-0.14 0.046,-0.142L0.043,-0.15L0.027,-0.16L0.027,-0.18C0.027,-0.194 0.028,-0.208 0.032,-0.222C0.035,-0.235 0.041,-0.251 0.049,-0.269C0.062,-0.298 0.071,-0.314 0.077,-0.318L0.097,-0.331L0.108,-0.35C0.112,-0.357 0.117,-0.361 0.122,-0.364L0.168,-0.388L0.194,-0.409L0.225,-0.421L0.28,-0.44L0.325,-0.444L0.361,-0.445C0.381,-0.445 0.391,-0.439 0.391,-0.428C0.397,-0.423 0.4,-0.421 0.402,-0.421C0.407,-0.421 0.412,-0.426 0.418,-0.435L0.43,-0.432L0.462,-0.421L0.475,-0.41L0.493,-0.399L0.511,-0.371C0.516,-0.365 0.526,-0.362 0.54,-0.362C0.549,-0.35 0.556,-0.339 0.559,-0.327C0.562,-0.316 0.566,-0.295 0.57,-0.264L0.572,-0.248ZM0.501,-0.236L0.483,-0.292L0.48,-0.317L0.475,-0.326L0.472,-0.326C0.47,-0.326 0.467,-0.327 0.466,-0.328C0.464,-0.329 0.462,-0.33 0.46,-0.333L0.436,-0.363L0.428,-0.375L0.387,-0.394C0.383,-0.401 0.38,-0.405 0.377,-0.408C0.374,-0.412 0.371,-0.413 0.367,-0.413C0.363,-0.413 0.356,-0.411 0.347,-0.408C0.338,-0.412 0.331,-0.414 0.327,-0.414L0.313,-0.412L0.289,-0.411L0.256,-0.399L0.248,-0.406L0.242,-0.398L0.209,-0.378L0.148,-0.325L0.136,-0.315C0.134,-0.298 0.126,-0.279 0.114,-0.258L0.107,-0.246L0.107,-0.242C0.107,-0.235 0.106,-0.23 0.104,-0.228C0.101,-0.226 0.097,-0.224 0.09,-0.223C0.089,-0.218 0.088,-0.215 0.088,-0.216C0.088,-0.215 0.088,-0.215 0.089,-0.214C0.089,-0.214 0.089,-0.213 0.089,-0.213L0.104,-0.196L0.106,-0.185C0.096,-0.177 0.091,-0.171 0.091,-0.168C0.091,-0.168 0.091,-0.166 0.093,-0.162C0.096,-0.165 0.098,-0.167 0.101,-0.167C0.104,-0.167 0.106,-0.166 0.107,-0.164L0.118,-0.128L0.143,-0.087L0.14,-0.062C0.143,-0.059 0.146,-0.058 0.149,-0.058C0.153,-0.058 0.157,-0.06 0.161,-0.064L0.171,-0.061L0.23,-0.025L0.29,-0.019L0.324,-0.014L0.363,-0.021L0.388,-0.027L0.42,-0.059L0.443,-0.066L0.454,-0.078L0.48,-0.132L0.493,-0.143C0.498,-0.148 0.5,-0.152 0.5,-0.155L0.5,-0.157L0.492,-0.18L0.501,-0.236Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
137 |         </g>
138 |         <g transform="matrix(106.667,0,0,106.667,257.276,368.723)">
139 |             <path d="M0.489,-0.033L0.484,-0.024L0.476,-0.012L0.462,-0.007L0.442,0.004L0.423,0.01C0.411,0.015 0.404,0.017 0.402,0.017C0.4,0.017 0.397,0.016 0.395,0.013C0.393,0.011 0.392,0.009 0.392,0.007C0.392,0.004 0.394,-0.004 0.397,-0.015C0.399,-0.018 0.4,-0.024 0.401,-0.032L0.391,-0.026L0.347,-0.011C0.338,-0.007 0.33,-0.005 0.321,-0.005L0.301,-0.005L0.278,0.006L0.262,0.008L0.217,0.017L0.198,0.014L0.185,0.019L0.176,0.021L0.161,0.02L0.129,0.013L0.107,0.011C0.092,0.009 0.079,0.004 0.068,-0.004C0.057,-0.012 0.049,-0.023 0.044,-0.036L0.031,-0.041L0.028,-0.053L0.027,-0.062L0.02,-0.085L0.038,-0.121L0.044,-0.137C0.046,-0.141 0.052,-0.148 0.062,-0.156L0.1,-0.187L0.116,-0.193L0.143,-0.204C0.143,-0.204 0.144,-0.204 0.145,-0.204C0.146,-0.204 0.147,-0.203 0.148,-0.203C0.154,-0.217 0.167,-0.224 0.185,-0.224L0.188,-0.227L0.198,-0.227C0.202,-0.232 0.207,-0.236 0.211,-0.238C0.215,-0.24 0.223,-0.242 0.235,-0.244L0.296,-0.255L0.314,-0.253L0.337,-0.258L0.378,-0.262C0.392,-0.265 0.399,-0.272 0.399,-0.282C0.399,-0.284 0.399,-0.285 0.398,-0.285L0.393,-0.307L0.397,-0.339C0.396,-0.346 0.394,-0.351 0.39,-0.354C0.386,-0.357 0.38,-0.359 0.372,-0.36L0.365,-0.371C0.358,-0.383 0.352,-0.39 0.348,-0.394C0.343,-0.397 0.334,-0.4 0.322,-0.403L0.294,-0.409L0.267,-0.41L0.254,-0.408C0.251,-0.41 0.249,-0.411 0.247,-0.413C0.245,-0.415 0.244,-0.418 0.243,-0.422L0.23,-0.416L0.215,-0.402L0.167,-0.378C0.157,-0.372 0.15,-0.367 0.147,-0.362L0.14,-0.352C0.137,-0.347 0.132,-0.344 0.127,-0.344L0.117,-0.346L0.103,-0.353L0.088,-0.356C0.083,-0.358 0.078,-0.36 0.073,-0.364C0.068,-0.368 0.066,-0.372 0.066,-0.375C0.066,-0.377 0.066,-0.378 0.067,-0.378L0.075,-0.384L0.091,-0.396L0.108,-0.399L0.134,-0.412L0.166,-0.423L0.175,-0.425L0.196,-0.436L0.213,-0.433L0.272,-0.446L0.297,-0.445L0.316,-0.445L0.336,-0.438L0.394,-0.427L0.403,-0.422L0.403,-0.415L0.396,-0.411C0.398,-0.4 0.402,-0.394 0.408,-0.394C0.409,-0.394 0.409,-0.395 0.41,-0.395C0.41,-0.395 0.41,-0.395 0.411,-0.395L0.425,-0.401L0.427,-0.401C0.43,-0.401 0.432,-0.399 0.433,-0.396L0.443,-0.378L0.453,-0.37L0.453,-0.359L0.451,-0.334C0.451,-0.323 0.456,-0.314 0.467,-0.306L0.473,-0.234L0.46,-0.216L0.475,-0.198L0.476,-0.192L0.473,-0.146L0.477,-0.111L0.477,-0.092L0.47,-0.09C0.471,-0.082 0.471,-0.076 0.472,-0.074C0.472,-0.072 0.473,-0.069 0.475,-0.064L0.489,-0.033ZM0.411,-0.118C0.406,-0.122 0.403,-0.126 0.402,-0.129L0.404,-0.149L0.4,-0.194L0.406,-0.207L0.39,-0.216L0.382,-0.214L0.337,-0.217L0.316,-0.216L0.3,-0.227L0.29,-0.221L0.263,-0.22L0.244,-0.213L0.233,-0.219L0.219,-0.211L0.146,-0.176L0.13,-0.164L0.117,-0.145L0.1,-0.135C0.097,-0.132 0.096,-0.129 0.096,-0.126L0.097,-0.124L0.101,-0.118L0.1,-0.114L0.111,-0.07L0.1,-0.042L0.108,-0.032L0.121,-0.048C0.126,-0.044 0.13,-0.041 0.134,-0.038C0.138,-0.035 0.142,-0.033 0.148,-0.031C0.153,-0.03 0.16,-0.028 0.169,-0.026L0.179,-0.012L0.213,-0.009L0.222,-0.018L0.232,-0.013L0.244,-0.02C0.252,-0.017 0.257,-0.016 0.258,-0.016C0.268,-0.016 0.28,-0.021 0.296,-0.03L0.307,-0.036C0.336,-0.036 0.356,-0.042 0.365,-0.054L0.375,-0.067L0.399,-0.087L0.4,-0.093L0.399,-0.099C0.404,-0.101 0.407,-0.103 0.408,-0.105C0.41,-0.107 0.41,-0.112 0.411,-0.118Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
140 |         </g>
141 |         <g transform="matrix(106.667,0,0,106.667,314.463,368.723)">
142 |             <path d="M0.16,-0.087L0.158,-0.061L0.159,-0.041C0.159,-0.036 0.157,-0.032 0.152,-0.029L0.155,-0.017L0.144,-0.015L0.112,0.005L0.099,0.007L0.084,0.016C0.083,0.016 0.082,0.016 0.081,0.016C0.08,0.017 0.078,0.017 0.077,0.017C0.071,0.017 0.068,0.015 0.068,0.011L0.068,-0.001L0.065,-0.023L0.072,-0.076L0.074,-0.144C0.075,-0.161 0.079,-0.174 0.085,-0.185L0.079,-0.2C0.074,-0.21 0.071,-0.216 0.071,-0.218C0.071,-0.223 0.075,-0.232 0.083,-0.246C0.086,-0.251 0.088,-0.256 0.088,-0.262C0.088,-0.267 0.083,-0.271 0.073,-0.275L0.075,-0.283L0.071,-0.285L0.071,-0.3L0.079,-0.334L0.079,-0.418L0.089,-0.457C0.089,-0.462 0.085,-0.468 0.077,-0.474L0.077,-0.497L0.075,-0.585C0.075,-0.591 0.079,-0.603 0.088,-0.618L0.095,-0.631C0.083,-0.636 0.077,-0.641 0.077,-0.646C0.077,-0.645 0.078,-0.651 0.08,-0.665L0.07,-0.674L0.07,-0.693L0.068,-0.716L0.068,-0.72L0.076,-0.745L0.068,-0.78L0.07,-0.797L0.06,-0.854L0.06,-0.862L0.064,-0.878L0.067,-0.898L0.111,-0.922L0.131,-0.937L0.139,-0.939L0.146,-0.928L0.147,-0.907L0.151,-0.893L0.152,-0.885L0.152,-0.873L0.149,-0.837L0.149,-0.834L0.15,-0.817C0.15,-0.811 0.149,-0.807 0.148,-0.804L0.136,-0.779L0.135,-0.769C0.141,-0.769 0.145,-0.768 0.147,-0.766C0.149,-0.764 0.15,-0.759 0.15,-0.752L0.15,-0.741C0.15,-0.735 0.146,-0.729 0.138,-0.725L0.138,-0.713L0.137,-0.703L0.137,-0.699L0.146,-0.685L0.142,-0.592L0.142,-0.525L0.129,-0.499L0.136,-0.462L0.126,-0.438C0.127,-0.435 0.13,-0.431 0.135,-0.427L0.143,-0.418L0.147,-0.26L0.135,-0.246C0.136,-0.24 0.136,-0.233 0.136,-0.226C0.136,-0.215 0.135,-0.204 0.132,-0.194L0.136,-0.183L0.15,-0.183L0.15,-0.165L0.16,-0.087Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
143 |         </g>
144 |         <g transform="matrix(106.667,0,0,106.667,337.953,368.723)">
145 |             <path d="M0.489,-0.033L0.484,-0.024L0.476,-0.012L0.462,-0.007L0.442,0.004L0.423,0.01C0.411,0.015 0.404,0.017 0.402,0.017C0.4,0.017 0.397,0.016 0.395,0.013C0.393,0.011 0.392,0.009 0.392,0.007C0.392,0.004 0.394,-0.004 0.397,-0.015C0.399,-0.018 0.4,-0.024 0.401,-0.032L0.391,-0.026L0.347,-0.011C0.338,-0.007 0.33,-0.005 0.321,-0.005L0.301,-0.005L0.278,0.006L0.262,0.008L0.217,0.017L0.198,0.014L0.185,0.019L0.176,0.021L0.161,0.02L0.129,0.013L0.107,0.011C0.092,0.009 0.079,0.004 0.068,-0.004C0.057,-0.012 0.049,-0.023 0.044,-0.036L0.031,-0.041L0.028,-0.053L0.027,-0.062L0.02,-0.085L0.038,-0.121L0.044,-0.137C0.046,-0.141 0.052,-0.148 0.062,-0.156L0.1,-0.187L0.116,-0.193L0.143,-0.204C0.143,-0.204 0.144,-0.204 0.145,-0.204C0.146,-0.204 0.147,-0.203 0.148,-0.203C0.154,-0.217 0.167,-0.224 0.185,-0.224L0.188,-0.227L0.198,-0.227C0.202,-0.232 0.207,-0.236 0.211,-0.238C0.215,-0.24 0.223,-0.242 0.235,-0.244L0.296,-0.255L0.314,-0.253L0.337,-0.258L0.378,-0.262C0.392,-0.265 0.399,-0.272 0.399,-0.282C0.399,-0.284 0.399,-0.285 0.398,-0.285L0.393,-0.307L0.397,-0.339C0.396,-0.346 0.394,-0.351 0.39,-0.354C0.386,-0.357 0.38,-0.359 0.372,-0.36L0.365,-0.371C0.358,-0.383 0.352,-0.39 0.348,-0.394C0.343,-0.397 0.334,-0.4 0.322,-0.403L0.294,-0.409L0.267,-0.41L0.254,-0.408C0.251,-0.41 0.249,-0.411 0.247,-0.413C0.245,-0.415 0.244,-0.418 0.243,-0.422L0.23,-0.416L0.215,-0.402L0.167,-0.378C0.157,-0.372 0.15,-0.367 0.147,-0.362L0.14,-0.352C0.137,-0.347 0.132,-0.344 0.127,-0.344L0.117,-0.346L0.103,-0.353L0.088,-0.356C0.083,-0.358 0.078,-0.36 0.073,-0.364C0.068,-0.368 0.066,-0.372 0.066,-0.375C0.066,-0.377 0.066,-0.378 0.067,-0.378L0.075,-0.384L0.091,-0.396L0.108,-0.399L0.134,-0.412L0.166,-0.423L0.175,-0.425L0.196,-0.436L0.213,-0.433L0.272,-0.446L0.297,-0.445L0.316,-0.445L0.336,-0.438L0.394,-0.427L0.403,-0.422L0.403,-0.415L0.396,-0.411C0.398,-0.4 0.402,-0.394 0.408,-0.394C0.409,-0.394 0.409,-0.395 0.41,-0.395C0.41,-0.395 0.41,-0.395 0.411,-0.395L0.425,-0.401L0.427,-0.401C0.43,-0.401 0.432,-0.399 0.433,-0.396L0.443,-0.378L0.453,-0.37L0.453,-0.359L0.451,-0.334C0.451,-0.323 0.456,-0.314 0.467,-0.306L0.473,-0.234L0.46,-0.216L0.475,-0.198L0.476,-0.192L0.473,-0.146L0.477,-0.111L0.477,-0.092L0.47,-0.09C0.471,-0.082 0.471,-0.076 0.472,-0.074C0.472,-0.072 0.473,-0.069 0.475,-0.064L0.489,-0.033ZM0.411,-0.118C0.406,-0.122 0.403,-0.126 0.402,-0.129L0.404,-0.149L0.4,-0.194L0.406,-0.207L0.39,-0.216L0.382,-0.214L0.337,-0.217L0.316,-0.216L0.3,-0.227L0.29,-0.221L0.263,-0.22L0.244,-0.213L0.233,-0.219L0.219,-0.211L0.146,-0.176L0.13,-0.164L0.117,-0.145L0.1,-0.135C0.097,-0.132 0.096,-0.129 0.096,-0.126L0.097,-0.124L0.101,-0.118L0.1,-0.114L0.111,-0.07L0.1,-0.042L0.108,-0.032L0.121,-0.048C0.126,-0.044 0.13,-0.041 0.134,-0.038C0.138,-0.035 0.142,-0.033 0.148,-0.031C0.153,-0.03 0.16,-0.028 0.169,-0.026L0.179,-0.012L0.213,-0.009L0.222,-0.018L0.232,-0.013L0.244,-0.02C0.252,-0.017 0.257,-0.016 0.258,-0.016C0.268,-0.016 0.28,-0.021 0.296,-0.03L0.307,-0.036C0.336,-0.036 0.356,-0.042 0.365,-0.054L0.375,-0.067L0.399,-0.087L0.4,-0.093L0.399,-0.099C0.404,-0.101 0.407,-0.103 0.408,-0.105C0.41,-0.107 0.41,-0.112 0.411,-0.118Z" style="fill:rgb(161,182,246);fill-rule:nonzero;"/>
146 |         </g>
147 |     </g>
148 | </svg>
149 | 


--------------------------------------------------------------------------------
/images/tealogo-big.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/images/tealogo-big.png


--------------------------------------------------------------------------------
/images/tealogo-on-black.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/images/tealogo-on-black.png


--------------------------------------------------------------------------------
/images/tealogo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/images/tealogo.png


--------------------------------------------------------------------------------
/out/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/out/.gitkeep


--------------------------------------------------------------------------------
/presentations/koalacon2024/00-welcome.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/koalacon2024/00-welcome.pdf


--------------------------------------------------------------------------------
/presentations/koalacon2024/01-introduction-overview.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/koalacon2024/01-introduction-overview.pdf


--------------------------------------------------------------------------------
/presentations/koalacon2024/02-tea-data-model.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/koalacon2024/02-tea-data-model.pdf


--------------------------------------------------------------------------------
/presentations/koalacon2024/03-dependency-track.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/koalacon2024/03-dependency-track.pdf


--------------------------------------------------------------------------------
/presentations/koalacon2024/04-tea-sbomify.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/koalacon2024/04-tea-sbomify.pdf


--------------------------------------------------------------------------------
/presentations/koalacon2024/05-tea-and-java.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/koalacon2024/05-tea-and-java.pdf


--------------------------------------------------------------------------------
/presentations/oej/koala-beta-one-cisa-sbom-community.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/oej/koala-beta-one-cisa-sbom-community.pdf


--------------------------------------------------------------------------------
/presentations/oej/koala-tea-intro-normal-format.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/oej/koala-tea-intro-normal-format.pdf


--------------------------------------------------------------------------------
/presentations/oej/koala-tea-intro-sbomarama.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/oej/koala-tea-intro-sbomarama.pdf


--------------------------------------------------------------------------------
/presentations/oej/koala-transparency-exchange.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/oej/koala-transparency-exchange.pdf


--------------------------------------------------------------------------------
/presentations/oej/tea-collection.key.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/oej/tea-collection.key.pdf


--------------------------------------------------------------------------------
/presentations/oej/tea-publish.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/oej/tea-publish.pdf


--------------------------------------------------------------------------------
/presentations/steve.springett/Ecma TC54 + CycloneDX Brief (June 2024).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/steve.springett/Ecma TC54 + CycloneDX Brief (June 2024).pdf


--------------------------------------------------------------------------------
/presentations/steve.springett/Transparency Exchange API Kickoff.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CycloneDX/transparency-exchange-api/b3d81f6486e75c84b78e35e46e80e4a4db277e02/presentations/steve.springett/Transparency Exchange API Kickoff.pdf


--------------------------------------------------------------------------------
/signatures/signature.md:
--------------------------------------------------------------------------------
  1 | # Transparency Exchange API - Trusting digital signatures in TEA
  2 | 
  3 | Software transparency requires a trust platform so that users
  4 | can validate the information and artefacts published. Given
  5 | the situation today any information published is better than
  6 | none, so the framework for digital signatures will not
  7 | be mandatory for API compliance. Implementations may
  8 | require all published information to be signed and
  9 | validated. In some vertical markets branch standards may require
 10 | digital signatures.
 11 | 
 12 | Within the TEA API documents may be signed with an electronic
 13 | signature. CycloneDX Documents support [signatures](https://cyclonedx.org/use-cases/#authenticity) within
 14 | the JSON and XML files, but other artefacts may need external
 15 | signature files, a detached signature.
 16 | 
 17 | ## Requirements
 18 | 
 19 | Digital signatures provide integrity and identity to published data.
 20 | 
 21 | - __Integrity__: Documents dowloaded must be the same
 22 |   as documents published
 23 | - __Identity__: Customers need to be able to verify the
 24 |   publisher of the documents and verify that it is
 25 |   the expected publisher.
 26 |   A TEA server may want to verify that published
 27 |   documents are signed by the expected publisher
 28 |   and that signatures are valid.
 29 | 
 30 | In order to sign an object, a pair of asymmetric keys will be
 31 | needed. The public key is used to create a certificate, signed
 32 | by a certificate authority (CA). The private key is used for
 33 | signing and needs to be protected.
 34 | 
 35 | A software publisher may buy CA services from a commercial vendor
 36 | or set up an internal PKI solution. The issue with internal PKIs is that
 37 | external parties do not automatically trust that internal PKI.
 38 | 
 39 | This document outlines a proposal on how to build that trust and
 40 | make it possible for publishers to use an internal PKI. It is
 41 | of course important that this PKI is maintained according to
 42 | best current practise.
 43 | 
 44 | ## API trust
 45 | 
 46 | The TEA API is built on the HTTP protocol with TLS encryption
 47 | and authentication, using the `https://` URL scheme.
 48 | 
 49 | The TLS server certificate is normally issued by a public Certificate
 50 | Authority that is part of the Web PKI. The client needs to validate
 51 | the TLS server certificate to make sure
 52 | 
 53 | - that the certificate name (CN or Subject Alt Name) matches the
 54 |   host part of the URI.
 55 | - that the certificate is valid, i.e. the not-before date and the
 56 |   not-after date is not out of range
 57 | - that the certificate is signed by a trusted CA
 58 | 
 59 | If the certificate validates properly, the API can be trusted.
 60 | Validation proves that the server is the right server for the
 61 | given host name in the URL. 
 62 | 
 63 | This trust can be used to implement trust in a private PKI
 64 | used to sign documents delivered over the API. 
 65 | 
 66 | In addition, trust anchors can be
 67 | published in DNSsec as an extra level of validation.
 68 | 
 69 | ## Getting trust anchors
 70 | 
 71 | Much like the EST protocol, the TEA protocol can be used
 72 | to download trust anchors for a private PKI. These are
 73 | PEM-encoded certificates in one single text file.
 74 | 
 75 | The TEA API has a `/trust-anchors/` API that will download
 76 | the current trust anchor APIs. This file is not signed,
 77 | that would cause a chicken-and-egg problem. The certificates
 78 | in the file are all signed.
 79 | 
 80 | An implementation should download these and apply them only
 81 | for this service, not in global scope. A PKI valid for example.com
 82 | is not valid for example.net.
 83 | 
 84 | Note that the TEA api can host many years of documents for
 85 | published versions. Old and expired trust anchors may be needed
 86 | to validate digital signatures on old documents.
 87 | 
 88 | ## Validating the trust anchors using DNSsec (DANE)
 89 | 
 90 | ## Digital signatures
 91 | 
 92 | ### Digital signatures as specified for CycloneDX
 93 | 
 94 | > "Digital signatures may be applied to a BOM or to an assembly within a BOM.
 95 | > CycloneDX supports XML Signature, JSON Web Signature (JWS), and JSON Signature Format (JSF).
 96 | > Signed BOMs benefit by providing advanced integrity and non-repudiation capabilities."
 97 | <https://cyclonedx.org/use-cases/#authenticity>
 98 | 
 99 | ### External (detached) digital signatures for other documents
100 | 
101 | - indication of hash algorithm
102 | - indicator of cert used
103 | - intermediate cert and sign cert
104 | 
105 | ### Validating the digital signature
106 | 
107 | ## Using Sigstore for signing
108 | 
109 | Sigstore is an excellent free service for both signing of GIT commits as well
110 | as artefacts by using ephemeral certificates (very shortlived) and a
111 | certificate transparency log for validation and verification.
112 | Sigstore signatures contain timestamps from a timestamping service.
113 | 
114 | Sigstore lends itself very well to Open Source projects but not really
115 | commercial projects. The Sigstore platform can be deployed internally
116 | for enterprise use, but in that case will have the same problem as any
117 | internal PKI with establishing trust.
118 | 
119 | ## Suggested PKI setup
120 | 
121 | ### Root cert
122 | 
123 | #### Root cert validity and renewal
124 | 
125 | ### Intermediate cert
126 | 
127 | #### Intermediate cert validity and renewal
128 | 
129 | ### Signature
130 | 
131 | #### Time stamp services
132 | 
133 | ### DNS entry
134 | 
135 | ## References
136 | 
137 | - IETF RFC DANE
138 | - IETF DANCE architecture (IETF draft)
139 | - IETF Digital signature
140 | - JSON web signatures (JWS) - <https://datatracker.ietf.org/doc/html/rfc7515>
141 | - JSON signature format (JSF) - <https://cyberphone.github.io/doc/security/jsf.html>
142 | - [IETF Enrollment over Secure Transport (EST) RFC 7030](https://www.rfc-editor.org/rfc/rfc7030)
143 | 


--------------------------------------------------------------------------------
/spec/README.md:
--------------------------------------------------------------------------------
 1 | # TEA OpenAPI Spec
 2 | 
 3 | The OpenAPI 3.1 specification for the Transparency Exchange API is available in [openapi.yaml](./openapi.yaml).
 4 | 
 5 | - [Generating API Clients from OpenAPI Spec](#generating-api-clients-from-openapi-spec)
 6 | 
 7 | ## Generating API Clients from OpenAPI Spec
 8 | 
 9 | We use the OpenAPI Generator with configuration per language/framework in the `generators` folder. An example is:
10 | 
11 | ```bash
12 | docker run \
13 |     --rm \
14 |     -v "$(PWD):/local" \
15 |     openapitools/openapi-generator-cli \
16 |     batch --clean /local/spec/generators/typescript.yaml
17 | ```
18 | 
19 | ## Preview Specs
20 | 
21 | Fire up the `swagger-ui` with Docker from the root of the repository:
22 | 
23 | ```bash
24 | docker run \
25 |     -p 8080:8080 \
26 |     -e SWAGGER_JSON=/koala/spec/openapi.yaml \
27 |     -v $(pwd):/koala swaggerapi/swagger-ui
28 | ```
29 | 
30 | And browse to [http://localhost:8080](http://localhost:8080).
31 | 


--------------------------------------------------------------------------------
/spec/generators/common.yaml:
--------------------------------------------------------------------------------
1 | inputSpec: /local/spec/openapi.yaml
2 | gitUserId: CycloneDX
3 | gitRepoId: transparency-exchange-api
4 | 
5 | globalProperties:
6 |   skipFormModel: false


--------------------------------------------------------------------------------
/spec/generators/go.yaml:
--------------------------------------------------------------------------------
1 | '!include': 'common.yaml'
2 | outputDir: /local/out/go
3 | generatorName: go
4 | gitRepoId: transparency-exchange-api-go
5 | additionalProperties:
6 |   goImportAlias: tea_client
7 |   packageName: tea_client


--------------------------------------------------------------------------------
/spec/generators/java-webclient.yaml:
--------------------------------------------------------------------------------
 1 | '!include': 'common.yaml'
 2 | outputDir: /local/out/java-webclient
 3 | generatorName: java
 4 | additionalProperties:
 5 |   library: webclient
 6 |   artifactDescription: Transparency Exchange API Java Webclient
 7 |   artifactId: tea-api-webclient
 8 |   artifactUrl: https://github.com/CycloneDX/transparency-exchange-api
 9 |   invokerPackage: org.cyclonedx.tea.webclient
10 |   apiPackage: org.cyclonedx.tea.webclient.api
11 |   modelPackage: org.cyclonedx.tea.webclient.model
12 |   developerEmail: community@sonatype.com
13 |   developerName: OWASP Foundation
14 |   developerOrganization: OWASP Foundation
15 |   developerOrganizationUrl: https://cyclonedx.org/
16 |   groupId: org.cyclonedx.tea
17 |   licenseName: Apache-2.0
18 |   licenseUrl: https://github.com/CycloneDX/transparency-exchange-api/blob/main/LICENSE
19 |   scmConnection: scm:git:git@github.com:CycloneDX/transparency-exchange-api.git
20 |   scmDeveloperConnection: scm:git:git@github.com:CycloneDX/transparency-exchange-api.git
21 |   scmUrl: https://github.com/CycloneDX/transparency-exchange-api
22 |   useJakartaEe: true
23 |   asyncNative: true
24 |   generateBuilders: true
25 |   parentGroupId: org.sonatype.buildsupport
26 |   parentArtifactId: public-parent
27 |   parentVersion: 50


--------------------------------------------------------------------------------
/spec/generators/python.yaml:
--------------------------------------------------------------------------------
1 | '!include': 'common.yaml'
2 | outputDir: /local/out/python
3 | generatorName: python
4 | additionalProperties:
5 |   library: urllib3
6 |   licenseInfo: "Apache-2.0"
7 |   packageName: "tea_api_client"
8 |   projectName: "Transparency Exchange API (TEA)"


--------------------------------------------------------------------------------
/spec/generators/typescript.yaml:
--------------------------------------------------------------------------------
1 | '!include': 'common.yaml'
2 | outputDir: /local/out/typescript
3 | generatorName: typescript-fetch
4 | additionalProperties:
5 |   npmName: "@cyclonedx/tea-api-client"
6 |   supportsES6: true
7 |   withInterfaces: true


--------------------------------------------------------------------------------
/spec/generators/update-pom.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Check if the file path is provided
 4 | if [ -z "$1" ]; then
 5 |   echo "Usage: $0 <path-to-xml-file>"
 6 |   exit 1
 7 | fi
 8 | 
 9 | # File path
10 | FILE=$1
11 | 
12 | # Use sed to remove the <build> tag and its content
13 | sed -i.bak '/<build>/,/<\/build>/d' "$FILE"
14 | 
15 | echo "The <build> tag has been removed from $FILE. A backup has been saved as $FILE.bak."


--------------------------------------------------------------------------------
/spec/openapi.yaml:
--------------------------------------------------------------------------------
  1 | # $schema: https://spec.openapis.org/oas/3.1/schema-base/2025-02-13
  2 | openapi: 3.1.1
  3 | jsonSchemaDialect: https://spec.openapis.org/oas/3.1/dialect/base
  4 | info:
  5 |   title: Transparency Exchange API
  6 |   summary: The OWASP Transparency Exchange API specification for consumers and publishers
  7 |   description: TBC
  8 |   contact:
  9 |     name: TEA Working Group
 10 |     email: tbc@somewhere.tld
 11 |     url: https://github.com/CycloneDX/transparency-exchange-api
 12 |   license:
 13 |     name: Apache 2.0
 14 |     url: https://github.com/CycloneDX/transparency-exchange-api/blob/main/LICENSE
 15 |   version: 0.1.0-beta.1
 16 | servers:
 17 |   - url: http://localhost/tea/v1
 18 |     description: Local development
 19 | paths:
 20 |   /product/{uuid}:
 21 |     get:
 22 |       description: Returns the corresponding TEA components for a given TEA product UUID.
 23 |       operationId: getTeaProductByUuid
 24 |       parameters:
 25 |         - name: uuid
 26 |           in: path
 27 |           required: true
 28 |           description: UUID of the TEA product in the TEA server
 29 |           schema:
 30 |             type: string
 31 |             format: uuid
 32 |       responses:
 33 |         '200':
 34 |           description: Requested TEA Product found and returned
 35 |           content:
 36 |             application/json:
 37 |               schema:
 38 |                 $ref: "#/components/schemas/product"
 39 |         '400':
 40 |           $ref: "#/components/responses/400-invalid-request"
 41 |         '404':
 42 |           $ref: "#/components/responses/404-object-by-id-not-found"
 43 |       tags:
 44 |         - TEA Product
 45 |   /products:
 46 |     get:
 47 |       description: Returns a list of TEA products. Note that multiple products may
 48 |         match.
 49 |       operationId: getTeaProductByIdentifier
 50 |       parameters:
 51 |         - $ref: "#/components/parameters/page-offset"
 52 |         - $ref: "#/components/parameters/page-size"
 53 |         - $ref: "#/components/parameters/id-type"
 54 |         - $ref: "#/components/parameters/id-value"
 55 |       responses:
 56 |         '200':
 57 |           $ref: "#/components/responses/paginated-product"
 58 |         '400':
 59 |           $ref: "#/components/responses/400-invalid-request"
 60 |       tags:
 61 |         - TEA Product
 62 |   /component/{uuid}:
 63 |     get:
 64 |       description: Get a TEA Component
 65 |       operationId: getTeaComponentById
 66 |       parameters:
 67 |         - name: uuid
 68 |           in: path
 69 |           required: true
 70 |           description: UUID of TEA Component in the TEA server
 71 |           schema:
 72 |             type: string
 73 |             format: uuid
 74 |       responses:
 75 |         '200':
 76 |           description: Requested TEA Component found and returned
 77 |           content:
 78 |             application/json:
 79 |               schema:
 80 |                 "$ref": "#/components/schemas/component"
 81 |         '400':
 82 |           $ref: "#/components/responses/400-invalid-request"
 83 |         '404':
 84 |           $ref: "#/components/responses/404-object-by-id-not-found"
 85 |       tags:
 86 |         - TEA Component
 87 |   /component/{uuid}/releases:
 88 |     get:
 89 |       description: Get releases of the component
 90 |       operationId: getReleasesByComponentId
 91 |       parameters:
 92 |         - name: uuid
 93 |           in: path
 94 |           required: true
 95 |           description: UUID of TEA Component in the TEA server
 96 |           schema:
 97 |             type: string
 98 |             format: uuid
 99 |       responses:
100 |         '200':
101 |           description: Requested Releases of TEA Component found and returned
102 |           content:
103 |             application/json:
104 |               schema:
105 |                 type: array
106 |                 items:
107 |                   "$ref": "#/components/schemas/release"
108 |         '400':
109 |           $ref: "#/components/responses/400-invalid-request"
110 |         '404':
111 |           $ref: "#/components/responses/404-object-by-id-not-found"
112 |       tags:
113 |         - TEA Component
114 |   /release/{uuid}/collection/latest:
115 |     get:
116 |       description: Get the latest TEA Collection belonging to the TEA Release
117 |       operationId: getLatestCollection
118 |       parameters:
119 |         - name: uuid
120 |           in: path
121 |           required: true
122 |           description: UUID of TEA Release in the TEA server
123 |           schema:
124 |             type: string
125 |             format: uuid
126 |       responses:
127 |         '200':
128 |           description: Requested TEA Collection found and returned
129 |           content:
130 |             application/json:
131 |               schema:
132 |                 "$ref": "#/components/schemas/collection"
133 |         '400':
134 |           $ref: "#/components/responses/400-invalid-request"
135 |         '404':
136 |           $ref: "#/components/responses/404-object-by-id-not-found"
137 |       tags:
138 |         - TEA Release
139 |   /release/{uuid}/collections:
140 |     get:
141 |       description: Get the TEA Collections belonging to the TEA Release
142 |       operationId: getCollectionsByReleaseId
143 |       parameters:
144 |         - name: uuid
145 |           in: path
146 |           required: true
147 |           description: UUID of TEA Release in the TEA server
148 |           schema:
149 |             type: string
150 |             format: uuid
151 |       responses:
152 |         '200':
153 |           description: Requested TEA Collection found and returned
154 |           content:
155 |             application/json:
156 |               schema:
157 |                 type: array
158 |                 items:
159 |                   "$ref": "#/components/schemas/collection"
160 |         '400':
161 |           $ref: "#/components/responses/400-invalid-request"
162 |         '404':
163 |           $ref: "#/components/responses/404-object-by-id-not-found"
164 |       tags:
165 |         - TEA Release
166 |   /release/{uuid}/collection/{collectionVersion}:
167 |     get:
168 |       description: Get a specific Collection (by version) for a TEA Release by its UUID
169 |       operationId: getCollection
170 |       parameters:
171 |         - name: uuid
172 |           in: path
173 |           required: true
174 |           description: UUID of TEA Collection in the TEA server
175 |           schema:
176 |             "$ref": "#/components/schemas/uuid"
177 |         - name: collectionVersion
178 |           in: path
179 |           required: true
180 |           description: Version of TEA Collection
181 |           schema:
182 |             type: integer
183 |       responses:
184 |         '200':
185 |           description: Requested TEA Collection Version found and returned
186 |           content:
187 |             application/json:
188 |               schema:
189 |                 "$ref": "#/components/schemas/collection"
190 |         '400':
191 |           $ref: "#/components/responses/400-invalid-request"
192 |         '404':
193 |           $ref: "#/components/responses/404-object-by-id-not-found"
194 |       tags:
195 |         - TEA Release
196 |   /artifact/{uuid}:
197 |     get:
198 |       description: Get metadata for specific TEA artifact
199 |       operationId: getArtifact
200 |       parameters:
201 |         - name: uuid
202 |           in: path
203 |           required: true
204 |           description: UUID of TEA Artifact in the TEA server
205 |           schema:
206 |             "$ref": "#/components/schemas/uuid"
207 |       responses:
208 |         '200':
209 |           description: Requested TEA Artifact metadata found and returned
210 |           content:
211 |             application/json:
212 |               schema:
213 |                 "$ref": "#/components/schemas/artifact"
214 |         '400':
215 |           $ref: "#/components/responses/400-invalid-request"
216 |         '404':
217 |           $ref: "#/components/responses/404-object-by-id-not-found"
218 |       tags:
219 |         - TEA Artifact
220 | components:
221 |   schemas:
222 |     #
223 |     # Definitions reused in multiple domain objects
224 |     #
225 |     date-time:
226 |       type: string
227 |       description: Timestamp
228 |       format: date-time
229 |       pattern: "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}Z$"
230 |       example: '2024-03-20T15:30:00Z'
231 |     identifier:
232 |       type: object
233 |       description: An identifier with a specified type
234 |       properties:
235 |         idType:
236 |           description: Type of identifier, e.g. `TEI`, `PURL`, `CPE`
237 |           "$ref": "#/components/schemas/identifier-type"
238 |         idValue:
239 |           description: Identifier value
240 |           type: string
241 |     identifier-type:
242 |       type: string
243 |       description: Enumeration of identifiers types
244 |       enum:
245 |         - CPE
246 |         - TEI
247 |         - PURL
248 |     uuid:
249 |       type: string
250 |       description: A UUID
251 |       format: uuid
252 |       pattern: "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
253 | 
254 |     #
255 |     # TEA Product
256 |     #
257 |     product:
258 |       type: object
259 |       description: A TEA product
260 |       properties:
261 |         uuid:
262 |           description: A unique identifier for the TEA product
263 |           "$ref": "#/components/schemas/uuid"
264 |         name:
265 |           type: string
266 |           description: Product name
267 |         identifiers:
268 |           type: array
269 |           description: List of identifiers for the product
270 |           items:
271 |             "$ref": "#/components/schemas/identifier"
272 |         components:
273 |           type: array
274 |           description: List of TEA components for the product
275 |           items:
276 |             description: Unique identifier of the TEA component
277 |             "$ref": "#/components/schemas/uuid"
278 |       required:
279 |         - uuid
280 |         - name
281 |         - identifiers
282 |         - components
283 |       examples:
284 |         - uuid: 09e8c73b-ac45-4475-acac-33e6a7314e6d
285 |           name: Apache Log4j 2
286 |           identifiers:
287 |             - idType: CPE
288 |               idValue: cpe:2.3:a:apache:log4j
289 |             - idType: PURL
290 |               idValue: pkg:maven/org.apache.logging.log4j/log4j-api
291 |             - idType: PURL
292 |               idValue: pkg:maven/org.apache.logging.log4j/log4j-core
293 |             - idType: PURL
294 |               idValue: pkg:maven/org.apache.logging.log4j/log4j-layout-template-json
295 |           components:
296 |             - 3910e0fd-aff4-48d6-b75f-8bf6b84687f0
297 |             - b844c9bd-55d6-478c-af59-954a932b6ad3
298 |             - d6d3f754-d4f4-4672-b096-b994b064ca2d
299 | 
300 |     #
301 |     # TEA Component and related objects
302 |     #
303 |     component:
304 |       type: object
305 |       description: A TEA component
306 |       properties:
307 |         uuid:
308 |           description: A unique identifier for the TEA component
309 |           "$ref": "#/components/schemas/uuid"
310 |         name:
311 |           type: string
312 |           description: Component name
313 |         identifiers:
314 |           type: array
315 |           description: List of identifiers for the component
316 |           items:
317 |             "$ref": "#/components/schemas/identifier"
318 |       required:
319 |         - uuid
320 |         - name
321 |         - identifiers
322 |         - versions
323 |       examples:
324 |         - uuid: 3910e0fd-aff4-48d6-b75f-8bf6b84687f0
325 |           name: Apache Log4j API
326 |           identifiers:
327 |             - idType: PURL
328 |               idValue: pkg:maven/org.apache.logging.log4j/log4j-api
329 |         - uuid: b844c9bd-55d6-478c-af59-954a932b6ad3
330 |           name: Apache Log4j Core
331 |           identifiers:
332 |             - idType: CPE
333 |               idValue: cpe:2.3:a:apache:log4j
334 |             - idType: PURL
335 |               idValue: pkg:maven/org.apache.logging.log4j/log4j-core
336 | 
337 |     #
338 |     # TEA Release and related objects
339 |     #
340 |     release:
341 |       type: object
342 |       properties:
343 |         uuid:
344 |           description: A unique identifier for the TEA Component Release
345 |           "$ref": "#/components/schemas/uuid"
346 |         version:
347 |           description: Version number
348 |           type: string
349 |           example: 1.2.3
350 |         createdDate:
351 |           description: Timestamp when this Release was created in TEA (for sorting purposes)
352 |           "$ref": "#/components/schemas/date-time"
353 |         releaseDate:
354 |           description: Timestamp of the release
355 |           "$ref": "#/components/schemas/date-time"
356 |         preRelease:
357 |           type: boolean
358 |           description: |
359 |             A flag indicating pre-release (or beta) status.
360 |             May be disabled after the creation of the release object, but can't be enabled after creation of an object.
361 |         identifiers:
362 |           type: array
363 |           description: List of identifiers for the component
364 |           items:
365 |             "$ref": "#/components/schemas/identifier"
366 |         # add lifecycle here
367 |       required:
368 |         - uuid
369 |         - version
370 |         - createdDate
371 |       examples:
372 |         # Apache Tomcat 11.0.6
373 |         - uuid: 605d0ecb-1057-40e4-9abf-c400b10f0345
374 |           version: "11.0.6"
375 |           createdDate: 2025-04-01T15:43:00Z
376 |           releaseDate: 2025-04-01T15:43:00Z
377 |           identifiers:
378 |             - idType: PURL
379 |               idValue: pkg:maven/org.apache.tomcat/tomcat@11.0.6
380 |         # Different release of Apache Tomcat
381 |         - uuid: da89e38e-95e7-44ca-aa7d-f3b6b34c7fab
382 |           version: "10.1.40"
383 |           createdDate: 2025-04-01T18:20:00Z
384 |           releaseDate: 2025-04-01T18:20:00Z
385 |           identifiers:
386 |             - idType: PURL
387 |               idValue: pkg:maven/org.apache.tomcat/tomcat@10.1.40
388 |         # A pre-release of Apache Tomcat
389 |         - uuid: 95f481df-f760-47f4-b2f2-f8b76d858450
390 |           version: "11.0.0-M26"
391 |           createdDate: 2024-09-13T17:49:00Z
392 |           preRelease: true
393 |           identifiers:
394 |             - idType: PURL
395 |               idValue: pkg:maven/org.apache.tomcat/tomcat@11.0.0-M26
396 | 
397 |     #
398 |     # TEA Collection and related objects
399 |     #
400 |     collection:
401 |       type: object
402 |       description: A collection of security-related documents
403 |       properties:
404 |         uuid:
405 |           description: |
406 |             UUID of the TEA Collection object.
407 |             Note that this is equal to the UUID of the associated TEA Component Release object.
408 |             When updating a collection, only the `version` is changed.
409 |           "$ref": "#/components/schemas/uuid"
410 |         version:
411 |           type: integer
412 |           description: |
413 |             TEA Collection version, incremented each time its content changes.
414 |             Versions start with 1.
415 |         date:
416 |           description: The date when the TEA Collection version was created.
417 |           "$ref": "#/components/schemas/date-time"
418 |         updateReason:
419 |           description: Reason for the update/release of the TEA Collection object.
420 |           "$ref": "#/components/schemas/collection-update-reason"
421 |         artifacts:
422 |           type: array
423 |           description: List of TEA artifact objects.
424 |           items:
425 |             "$ref": "#/components/schemas/artifact"
426 |       examples:
427 |         # Documents in the latest release of Log4j Core
428 |         - uuid: 4c72fe22-9d83-4c2f-8eba-d6db484f32c8
429 |           version: 3
430 |           date: 2024-12-13T00:00:00Z
431 |           updateReason:
432 |             type: ARTIFACT_UPDATED
433 |             comment: VDR file updated
434 |           artifacts:
435 |             - uuid: 1cb47b95-8bf8-3bad-a5a4-0d54d86e10ce
436 |               name: Build SBOM
437 |               type: BOM
438 |               formats:
439 |                 - mime_type: application/vnd.cyclonedx+xml
440 |                   description: CycloneDX SBOM (XML)
441 |                   url: https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-core/2.24.3/log4j-core-2.24.3-cyclonedx.xml
442 |                   signature_url: https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-core/2.24.3/log4j-core-2.24.3-cyclonedx.xml.asc
443 |                   checksums:
444 |                     - algType: MD5
445 |                       algValue: 2e1a525afc81b0a8ecff114b8b743de9
446 |                     - algType: SHA-1
447 |                       algValue: 5a7d4caef63c5c5ccdf07c39337323529eb5a770
448 |             - uuid: dfa35519-9734-4259-bba1-3e825cf4be06
449 |               name: Vulnerability Disclosure Report
450 |               type: vulnerability-assertion
451 |               formats:
452 |                 - mime_type: application/vnd.cyclonedx+xml
453 |                   description: CycloneDX VDR (XML)
454 |                   url: https://logging.apache.org/cyclonedx/vdr.xml
455 |                   checksums:
456 |                     - algType: SHA-256
457 |                       algValue: 75b81020b3917cb682b1a7605ade431e062f7a4c01a412f0b87543b6e995ad2a
458 | 
459 |     collection-update-reason:
460 |       type: object
461 |       description: Reason for the update to the TEA collection
462 |       properties:
463 |         type:
464 |           description: Type of update reason.
465 |           "$ref": "#/components/schemas/collection-update-reason-type"
466 |         comment:
467 |           type: string
468 |           description: Free text description
469 |     collection-update-reason-type:
470 |       type: string
471 |       description: Type of TEA collection update
472 |       enum:
473 |         - INITIAL_RELEASE
474 |         - VEX_UPDATED
475 |         - ARTIFACT_UPDATED
476 |         - ARTIFACT_ADDED
477 |         - ARTIFACT_REMOVED
478 | 
479 |     #
480 |     # TEA Artifact and related objects
481 |     #
482 |     artifact:
483 |       type: object
484 |       description: A security-related document
485 |       properties:
486 |         uuid:
487 |           description: UUID of the TEA Artifact object.
488 |           "$ref": "#/components/schemas/uuid"
489 |         name:
490 |           type: string
491 |           description: Artifact name
492 |         type:
493 |           description: Type of artifact
494 |           "$ref": "#/components/schemas/artifact-type"
495 |         formats:
496 |           type: array
497 |           description: |
498 |             List of objects with the same content, but in different formats.
499 |             The order of the list has no significance.
500 |           items:
501 |             "$ref": "#/components/schemas/artifact-format"
502 |     artifact-type:
503 |       type: string
504 |       description: Specifies the type of external reference.
505 |       enum:
506 |         - ATTESTATION
507 |         - BOM
508 |         - BUILD_META
509 |         - CERTIFICATION
510 |         - FORMULATION
511 |         - LICENSE
512 |         - RELEASE_NOTES
513 |         - SECURITY_TXT
514 |         - THREAT_MODEL
515 |         - VULNERABILITIES
516 |         - OTHER
517 |     artifact-format:
518 |       type: object
519 |       description: A security-related document in a specific format
520 |       properties:
521 |         mime_type:
522 |           type: string
523 |           description: The MIME type of the document
524 |         description:
525 |           type: string
526 |           description: A free text describing the artifact
527 |         url:
528 |           type: string
529 |           description: Direct download URL for the artifact
530 |           format: url
531 |         signatureUrl:
532 |           type: string
533 |           description: Direct download URL for an external signature of the artifact
534 |           format: url
535 |         checksums:
536 |           type: array
537 |           description: List of checksums for the artifact
538 |           items:
539 |             "$ref": "#/components/schemas/artifact-checksum"
540 |     artifact-checksum:
541 |       type: object
542 |       properties:
543 |         algType:
544 |           description: Checksum algorithm
545 |           "$ref": "#/components/schemas/artifact-checksum-type"
546 |         algValue:
547 |           type: string
548 |           description: Checksum value
549 |     artifact-checksum-type:
550 |       type: string
551 |       description: Checksum algorithm
552 |       enum:
553 |         - MD5
554 |         - SHA-1
555 |         - SHA-256
556 |         - SHA-384
557 |         - SHA-512
558 |         - SHA3-256
559 |         - SHA3-384
560 |         - SHA3-512
561 |         - BLAKE2b-256
562 |         - BLAKE2b-384
563 |         - BLAKE2b-512
564 |         - BLAKE3
565 |     #
566 |     # Types used in API responses
567 |     #
568 |     pagination-details:
569 |       type: object
570 |       properties:
571 |         timestamp:
572 |           type: string
573 |           format: date-time
574 |           example: '2024-03-20T15:30:00Z'
575 |         pageStartIndex:
576 |           type: integer
577 |           format: int64
578 |           default: 0
579 |         pageSize:
580 |           type: integer
581 |           format: int64
582 |           default: 100
583 |         totalResults:
584 |           type: integer
585 |           format: int64
586 |       required:
587 |         - timestamp
588 |         - pageStartIndex
589 |         - pageSize
590 |         - totalResults
591 |   responses:
592 |     204-common-delete:
593 |       description: Object deleted successfully
594 |       content:
595 |         application/json: {}
596 |     400-invalid-request:
597 |       description: Request was Invalid
598 |       content:
599 |         application/json: {}
600 |     401-unauthorized:
601 |       description: Authentication required
602 |       content:
603 |         application/json: {}
604 |     404-object-by-id-not-found:
605 |       description: Object requested by identifier not found
606 |       content:
607 |         application/json: {}
608 |     paginated-product:
609 |       description: A paginated response containing TEA Products
610 |       content:
611 |         application/json:
612 |           schema:
613 |             allOf:
614 |               - $ref: "#/components/schemas/pagination-details"
615 |               - type: object
616 |                 properties:
617 |                   results:
618 |                     type: array
619 |                     items:
620 |                       "$ref": "#/components/schemas/product"
621 |   parameters:
622 |     # Pagination
623 |     page-offset:
624 |       name: pageOffset
625 |       description: Pagination offset
626 |       in: query
627 |       required: false
628 |       schema:
629 |         type: integer
630 |         format: int64
631 |         default: 0
632 |     page-size:
633 |       name: pageSize
634 |       description: Pagination offset
635 |       in: query
636 |       required: false
637 |       schema:
638 |         type: integer
639 |         format: int64
640 |         default: 100
641 |     #
642 |     # Query by identifier
643 |     #
644 |     # Since OpenAPI 3.0 it is possible to use RFC 6570-based serialization for JSON parameters of type array or object:
645 |     #   https://swagger.io/docs/specification/v3_0/serialization/
646 |     #
647 |     # Unfortunately many tools don't support it, for example,
648 |     # the `openapi-generator` for Java does not handle this correctly.
649 |     #   https://github.com/OpenAPITools/openapi-generator/issues/4808
650 |     #
651 |     # This can be uncommented, when RFC 6570-base serialization reaches a wider adoption:
652 |     #
653 |     # identifier-param:
654 |     #   name: identifierParam
655 |     #   description: If present, only the objects with the given identifier will be returned.
656 |     #   in: query
657 |     #   schema:
658 |     #     $ref: "#/components/schemas/identifier"
659 |     #   style: form
660 |     #   explode: true
661 |     #
662 |     # In the meantime we explode the object manually:
663 |     id-type:
664 |       # To allow RFC 6570 in the future without breaking changes to the HTTP API,
665 |       # the name of this parameter should be identical to the equivalent property in /components/schemas/identifier
666 |       name: idType
667 |       description: Type of identifier specified in the `idValue` parameter
668 |       in: query
669 |       schema:
670 |         $ref: "#/components/schemas/identifier-type"
671 |     id-value:
672 |       # To allow RFC 6570 in the future without breaking changes to the HTTP API,
673 |       # the name of this parameter should be identical to the equivalent property in /components/schemas/identifier
674 |       name: idValue
675 |       description: If present, only the objects with the given identifier value will be returned.
676 |       in: query
677 |       schema:
678 |         type: string
679 | 
680 |   securitySchemes:
681 |     bearerAuth:
682 |       type: http
683 |       scheme: bearer
684 |     basicAuth:
685 |       type: http
686 |       scheme: basic
687 | security:
688 |   - bearerAuth: []
689 |   - basicAuth: []
690 | tags:
691 |   - name: TEA Product
692 |   - name: TEA Component
693 |   - name: TEA Release
694 |   - name: TEA Artifact
695 | externalDocs:
696 |   description: Transparency Exchange API specification
697 |   url: https://github.com/CycloneDX/transparency-exchange-api
698 | 


--------------------------------------------------------------------------------
/spec/publisher/README.md:
--------------------------------------------------------------------------------
1 | This specification will be a recommended TEA publisher API.
2 | 
3 | The TEA specification is focused on the consumption API, which is the base of
4 | conformance with the specification.
5 | 
6 | NOTE: This is a copy of the OpenAPI specification including both consumption and publication APIs.
7 | 


--------------------------------------------------------------------------------
/tea-artifact/tea-artifact.md:
--------------------------------------------------------------------------------
 1 | ## Known types
 2 | 
 3 | meta:enum:
 4 | - vcs: Version Control System
 5 | - issue-tracker: Issue or defect tracking system, or an Application Lifecycle
 6 |    Management (ALM) system
 7 | - website: Website
 8 | - advisories: Security advisories
 9 | - bom: Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)
10 | - mailing-list: Mailing list or discussion group
11 | - social: Social media account
12 | - chat: Real-time chat platform
13 | - documentation: Documentation, guides, or how-to instructions
14 | - support: Community or commercial support
15 | - source-distribution:
16 |    description: The location where the source code distributable can be obtained.
17 |      This is often an archive format such as zip or tgz. The source-distribution
18 |      type complements use of the version control (vcs) type.
19 | - distribution: Direct or repository download location
20 | - distribution-intake: The location where a component was published to. This
21 |    is often the same as "distribution" but may also include specialized publishing
22 |    processes that act as an intermediary.
23 | - license: The reference to the license file. If a license URL has been defined
24 |    in the license node, it should also be defined as an external reference
25 |    for completeness.
26 | - build-meta: Build-system specific meta file (i.e. pom.xml, package.json, .nuspec,
27 |    etc)
28 | - build-system: Reference to an automated build system
29 | - release-notes: Reference to release notes
30 | - security-contact: Specifies a way to contact the maintainer, supplier, or
31 |    provider in the event of a security incident. Common URIs include links
32 |    to a disclosure procedure, a mailto (RFC-2368) that specifies an email address,
33 |    a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies
34 |    the records containing DNS Security TXT.
35 | - model-card: A model card describes the intended uses of a machine learning
36 |    model, potential limitations, biases, ethical considerations, training parameters,
37 |    datasets used to train the model, performance metrics, and other relevant
38 |    data useful for ML transparency.
39 | - log: A record of events that occurred in a computer system or application,
40 |    such as problems, errors, or information on current operations.
41 |    configuration: Parameters or settings that may be used by other components
42 |    or services.
43 | - evidence: Information used to substantiate a claim.
44 | - formulation: Describes how a component or service was manufactured or deployed.
45 | - attestation: Human or machine-readable statements containing facts, evidence,
46 |    or testimony.
47 | - threat-model: An enumeration of identified weaknesses, threats, and countermeasures,
48 |    dataflow diagram (DFD), attack tree, and other supporting documentation
49 |    in human-readable or machine-readable format.
50 | - adversary-model: The defined assumptions, goals, and capabilities of an adversary.
51 | - risk-assessment: Identifies and analyzes the potential of future events that
52 |    may negatively impact individuals, assets, and/or the environment. Risk
53 |    assessments may also include judgments on the tolerability of each risk.
54 | - vulnerability-assertion: A Vulnerability Disclosure Report (VDR) which asserts
55 |    the known and previously unknown vulnerabilities that affect a component,
56 |    service, or product including the analysis and findings describing the impact
57 |    (or lack of impact) that the reported vulnerability has on a component,
58 |    service, or product.
59 | - exploitability-statement: A Vulnerability Exploitability eXchange (VEX) which
60 |    asserts the known vulnerabilities that do not affect a product, product
61 |    family, or organization, and optionally the ones that do. The VEX should
62 |    include the analysis and findings describing the impact (or lack of impact)
63 |    that the reported vulnerability has on the product, product family, or organization.
64 | - pentest-report: Results from an authorized simulated cyberattack on a component
65 |    or service, otherwise known as a penetration test.
66 | - static-analysis-report: SARIF or proprietary machine or human-readable report
67 |    for which static analysis has identified code quality, security, and other
68 |    potential issues with the source code.
69 | - dynamic-analysis-report: Dynamic analysis report that has identified issues
70 |    such as vulnerabilities and misconfigurations.
71 | - runtime-analysis-report: Report generated by analyzing the call stack of a
72 |    running application.
73 | - component-analysis-report: Report generated by Software Composition Analysis
74 |    (SCA), container analysis, or other forms of component analysis.
75 | - maturity-report: Report containing a formal assessment of an organization,
76 |    business unit, or team against a maturity model.
77 | - certification-report: Industry, regulatory, or other certification from an
78 |    accredited (if applicable) certification body.
79 | - codified-infrastructure: Code or configuration that defines and provisions
80 |    virtualized infrastructure, commonly referred to as Infrastructure as Code
81 |    (IaC).
82 | - quality-metrics: Report or system in which quality metrics can be obtained.
83 | - poam: Plans of Action and Milestones (POAM) complement an "attestation" external
84 |    reference. POAM is defined by NIST as a "document that identifies tasks
85 |    needing to be accomplished. It details resources required to accomplish
86 |    the elements of the plan, any milestones in meeting the tasks and scheduled
87 |    completion dates for the milestones".
88 | - electronic-signature: An e-signature is commonly a scanned representation
89 |    of a written signature or a stylized script of the person's name.
90 | - digital-signature: A signature that leverages cryptography, typically public/private
91 |    key pairs, which provides strong authenticity verification.
92 | - rfc-9116: Document that complies with RFC-9116 (A File Format to Aid in Security
93 |    Vulnerability Disclosure)
94 | - other: Use this if no other types accurately describe the purpose of the external
95 |    reference.


--------------------------------------------------------------------------------
/tea-collection/tea-collection.md:
--------------------------------------------------------------------------------
  1 | # TEA release and collections
  2 | 
  3 | ## The TEA release object (TRO)
  4 | 
  5 | The TEA Component Release object corresponds to a specific variant
  6 | (version) of a component with a release identifier (string),
  7 | release timestamp and a lifecycle enumeration for the release.
  8 | The UUID of the TEA Component Release object matches the UUID of the associated TEA Collection objects (TCO).
  9 | 
 10 | A TEA Component Release object has the following parts:
 11 | 
 12 | - __uuid__: A unique identifier for the TEA Component Release
 13 | - __version__: Version number
 14 | - __releaseDate__: Timestamp of the release (for sorting purposes)
 15 | - __preRelease__: A flag indicating pre-release (or beta) status.
 16 |   May be disabled after the creation of the release object, but can't be enabled after creation of an object.
 17 | - __identifiers__: List of identifiers for the component
 18 |   - __idType__: Type of identifier, e.g. `tei`, `purl`, `cpe`
 19 |   - __idValue__: Identifier value
 20 | 
 21 | ### Examples
 22 | 
 23 | A TEA Component Release object of the binary distribution of Apache Tomcat 11.0.6 will look like:
 24 | 
 25 | ```json
 26 | {
 27 |   "uuid": "605d0ecb-1057-40e4-9abf-c400b10f0345",
 28 |   "version": "11.0.6",
 29 |   "releaseDate": "2025-04-01T15:43:00Z",
 30 |   "identifiers": [
 31 |     {
 32 |       "idType": "purl",
 33 |       "idValue": "pkg:maven/org.apache.tomcat/tomcat@11.0.6"
 34 |     }
 35 |   ]
 36 | }
 37 | ```
 38 | 
 39 | Different versions of Apache Tomcat should have separate TEA Component Release objects:
 40 | 
 41 | ```json
 42 | {
 43 |   "uuid": "da89e38e-95e7-44ca-aa7d-f3b6b34c7fab",
 44 |   "version": "10.1.4",
 45 |   "releaseDate": "2025-04-01T18:20:00Z",
 46 |   "identifiers": [
 47 |     {
 48 |       "idType": "purl",
 49 |       "idValue": "pkg:maven/org.apache.tomcat/tomcat@10.1.4"
 50 |     }
 51 |   ]
 52 | }
 53 | ```
 54 | 
 55 | The pre-release flag is used to mark versions not production ready
 56 | and does not require users to know the version naming scheme adopted by the project.
 57 | 
 58 | ```json
 59 | {
 60 |   "uuid": "95f481df-f760-47f4-b2f2-f8b76d858450",
 61 |   "version": "11.0.0-M26",
 62 |   "releaseDate": "2024-09-13T17:49:00Z",
 63 |   "preRelease": true,
 64 |   "identifiers": [
 65 |     {
 66 |       "idType": "purl",
 67 |       "idValue": "pkg:maven/org.apache.tomcat/tomcat@11.0.0-M26"
 68 |     }
 69 |   ]
 70 | }
 71 | ```
 72 | 
 73 | ## The TEA Collection object (TCO)
 74 | 
 75 | For each product and version there is a Tea Collection object, which is a list
 76 | of available artifacts for this specific version. The TEA Index is a list of
 77 | TEA collections.
 78 | 
 79 | The TEA collection is normally created by the TEA application server at
 80 | publication time of artifacts. The publisher may sign the collection
 81 | object as a JSON file at time of publication.
 82 | 
 83 | If there are any updates of artifacts within a collection for the same
 84 | version of a product, then a new TEA Collection object is created and signed.
 85 | This update will have the same UUID, but a new version number. A reason
 86 | for the update will have to be provided. This shall be used to
 87 | correct mistakes, spelling errors as well as to provide new information
 88 | on dynamic artifact types such as LCE or VEX. If the product
 89 | is modified, that is a new product version and that should generate
 90 | a new collection object with a new UUID and updated metadata.
 91 | 
 92 | The API allows for retrieving the latest version of the collection,
 93 | or a specific version.
 94 | 
 95 | ### Dynamic or static Collection objects
 96 | 
 97 | The TCO is produced by the TEA software platform. There are two ways
 98 | to implement this:
 99 | 
100 | * __Dynamic__: The TCO is built for each API request and created
101 |   dynamically.
102 | * __Static__: The TCO is built at publication time as a static
103 |   object by the publisher. This object can be digitally signed at
104 |   publication time and version controlled.
105 | 
106 | ### Collection object
107 | 
108 | The TEA Collection object has the following parts:
109 | 
110 | - Preamble
111 |   - __uuid__: UUID of the TEA Collection object.
112 |     Note that this is equal to the UUID of the associated TEA Component Release object.
113 |     When updating a collection, only the `version` is changed.
114 |   - __version__: TEA Collection version, incremented each time its content changes.
115 |     Versions start with 1.
116 |   - __releaseDate__: TEA Collection version release date.
117 |   - __updateReason__: Reason for the update/release of the TEA Collection object.
118 |     - __type__: Type of update reason.
119 |       See [reasons for TEA Collection update](#the-reason-for-tco-update-enum) below.
120 |     - __comment__: Free text description.
121 | - __artifacts__: List of TEA artifact objects.
122 |   See [below](#artifact-object).
123 | 
124 | ### Artifact object
125 | 
126 | The TEA Artifact object has the following parts:
127 | 
128 | - __uuid__: UUID of the TEA Artifact object.
129 | - __name__: Artifact name.
130 | - __type__: Type of artifact.
131 |   See [TEA Artifact types](#tea-artifact-types) for a list.
132 | - __formats__: List of objects with the same content, but in different formats.
133 |   The order of the list has no significance.
134 |   - __mime_type__: The MIME type of the document
135 |   - __description__: A free text describing the artifact
136 |   - __url__: Direct download URL for the artifact
137 |   - __signature_url__: Direct download URL for an external signature of the artifact
138 |   - __checksums__: List of checksums for the artifact
139 |     - __algType__: Checksum algorithm
140 |       See [CycloneDX checksum algorithms](https://cyclonedx.org/docs/1.6/json/#components_items_hashes_items_alg) for a list of supported values.
141 |     - __algValue__: Checksum value
142 | 
143 | ### The reason for TCO update enum
144 | 
145 | | ENUM             | Description                            |
146 | |------------------|----------------------------------------|
147 | | INITIAL_RELEASE  | Initial release of the collection      |
148 | | VEX_UPDATED      | Updated the VEX artifact(s)            |
149 | | ARTIFACT_UPDATED | Updated the artifact(s) other than VEX |
150 | | ARTIFACT_REMOVED | Removal of artifact                    |
151 | | ARTIFACT_ADDED   | Addition of an artifact                |
152 | 
153 | Updates of VEX (CSAF) files may be handled in a different way by a TEA client,
154 | producing different alerts than other changes of a collection.
155 | 
156 | ### TEA Artifact types
157 | 
158 | | ENUM            | Description                                                                         |
159 | |-----------------|-------------------------------------------------------------------------------------|
160 | | ATTESTATION     | Machine-readable statements containing facts, evidence, or testimony.               |
161 | | BOM             | Bill of Materials: SBOM, OBOM, HBOM, SaaSBOM, etc.                                  |
162 | | BUILD_META      | Build-system specific metadata file: `pom.xml`, `package.json`, `.nuspec`, etc.     |
163 | | CERTIFICATION   | Industry, regulatory, or other certification from an accredited certification body. |
164 | | FORMULATION     | Describes how a component or service was manufactured or deployed.                  |
165 | | LICENSE         | License file                                                                        |
166 | | RELEASE_NOTES   | Release notes document                                                              |
167 | | SECURITY_TXT    | A `security.txt` file                                                               |
168 | | THREAT_MODEL    | A threat model                                                                      |
169 | | VULNERABILITIES | A list of vulnerabilities: VDR/VEX                                                  |
170 | | OTHER           | Document that does not fall into any of the above categories                        |
171 | 
172 | ### Examples
173 | 
174 | ```json
175 | {
176 |   "uuid": "4c72fe22-9d83-4c2f-8eba-d6db484f32c8",
177 |   "version": 1,
178 |   "releaseDate": "2024-12-13T00:00:00Z",
179 |   "updateReason": {
180 |     "type": "ARTIFACT_UPDATED",
181 |     "comment": "VDR file updated"
182 |   },
183 |   "artifacts": [
184 |     {
185 |       "uuid": "1cb47b95-8bf8-3bad-a5a4-0d54d86e10ce",
186 |       "name": "Build SBOM",
187 |       "type": "bom",
188 |       "formats": [
189 |         {
190 |           "mime_type": "application/vnd.cyclonedx+xml",
191 |           "description": "CycloneDX SBOM (XML)",
192 |           "url": "https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-core/2.24.3/log4j-core-2.24.3-cyclonedx.xml",
193 |           "signature_url": "https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-core/2.24.3/log4j-core-2.24.3-cyclonedx.xml.asc",
194 |           "checksums": [
195 |             {
196 |               "algType": "MD5",
197 |               "algValue": "2e1a525afc81b0a8ecff114b8b743de9"
198 |             },
199 |             {
200 |               "algType": "SHA-1",
201 |               "algValue": "5a7d4caef63c5c5ccdf07c39337323529eb5a770"
202 |             }
203 |           ]
204 |         }
205 |       ]
206 |     },
207 |     {
208 |       "uuid": "dfa35519-9734-4259-bba1-3e825cf4be06",
209 |       "name": "Vulnerability Disclosure Report",
210 |       "type": "vulnerability-assertion",
211 |       "formats": [
212 |         {
213 |           "mime_type": "application/vnd.cyclonedx+xml",
214 |           "description": "CycloneDX VDR (XML)",
215 |           "url": "https://logging.apache.org/cyclonedx/vdr.xml",
216 |           "checksums": [
217 |             {
218 |               "algType": "SHA-256",
219 |               "algValue": "75b81020b3917cb682b1a7605ade431e062f7a4c01a412f0b87543b6e995ad2a"
220 |             }
221 |           ]
222 |         }
223 |       ]
224 |     }
225 |   ]
226 | }
227 | ```
228 | 


--------------------------------------------------------------------------------
/tea-component/tea-component.md:
--------------------------------------------------------------------------------
 1 | # The TEA Component API
 2 | 
 3 | The TEA Component object is the object that indicates a product component. The product may
 4 | be constructed with one or multiple Tea Components, each with their own set of
 5 | related artefacts.
 6 | 
 7 | For each TEA COMPONENT there is a TEA COMPONENT INDEX, which is a list of all versions
 8 | for that component.
 9 | 
10 | The API should be very agnostic as to how a "version" is indicated - semver, vers,
11 | name, hash or anything else.
12 | 
13 | ## Major and minor versions
14 | 
15 | Each component is for a sub-version or minor version (using semver definitions). A new
16 | major version counts as a new product with a separate product object (TPO). Each
17 | product object has one or multiple TEI URNs.
18 | 
19 | For the API to be able to present a list of versions in a cronological order,
20 | a timestamp for a release is required.
21 | 
22 | ## TEA Component Object
23 | 
24 | A TEA Component object has the following parts:
25 | 
26 | - __uuid__: A unique identifier for the TEA component
27 | - __name__: Component name
28 | - __identifiers__: List of identifiers for the component
29 |   - __idType__: Type of identifier, e.g. `tei`, `purl`, `cpe`
30 |   - __idValue__: Identifier value
31 | 
32 | Note: In coming versions, there may be a flag indicating lifecycle status
33 | for a component.
34 | 
35 | ### Examples
36 | 
37 | Some examples of Maven artifacts as TEA Components:
38 | 
39 | ```json
40 | {
41 |   "uuid": "3910e0fd-aff4-48d6-b75f-8bf6b84687f0",
42 |   "name": "Apache Log4j API",
43 |   "identifiers": [
44 |     {
45 |       "idType": "purl",
46 |       "idValue": "pkg:maven/org.apache.logging.log4j/log4j-api"
47 |     }
48 |   ]
49 | }
50 | ```
51 | 
52 | ```json
53 | {
54 |   "uuid": "b844c9bd-55d6-478c-af59-954a932b6ad3",
55 |   "name": "Apache Log4j Core",
56 |   "identifiers": [
57 |     {
58 |       "idType": "cpe",
59 |       "idValue": "cpe:2.3:a:apache:log4j"
60 |     },
61 |     {
62 |       "idType": "purl",
63 |       "idValue": "pkg:maven/org.apache.logging.log4j/log4j-core"
64 |     }
65 |   ]
66 | }
67 | ```
68 | 
69 | ## Handling the Pre-Release flag
70 | 
71 | The "Pre-release" flag is used to indicate that this is not a final release.
72 | For a given Component with a UUID, the flag can be set to indicate a "test", "beta", "alpha"
73 | or similar non-deployed release. It can only be set when creating the Component.
74 | The TEA implementation may allow it to be unset (False) once. This is to support
75 | situations where a object is promoted as is after testing to production version. The flag can not
76 | be set after initial creation and publication of the Component.
77 | 
78 | If the final version is different from the pre-release (bugs fixed, code changed, different binary)
79 | a new Component with a new UUID and version needs to be created.
80 | 
81 | ## References
82 | 
83 | - Semantic versioning (Semver): <https://semver.org>
84 | - PURL VERS <https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst>
85 | 


--------------------------------------------------------------------------------
/tea-product/tea-product.md:
--------------------------------------------------------------------------------
  1 | # The TEA product API
  2 | 
  3 | After TEA discovery, a user has a URL to the TEA product API where
  4 | the TEI is used to query for data. The TEI marks the product sold,
  5 | which can be a single unit or multiple units in a bundle.
  6 | 
  7 | - For a single product, the output will be metadata about the
  8 |   product and a TEA COMPONENT object.
  9 | - For a composed product consisting of a bundle, the response
 10 |   will be multiple TEA COMPONENT objects.
 11 | 
 12 | In addition, all known TEIs for the product will be returned,
 13 | in order for a TEA client to avoid duplication.
 14 | 
 15 | ## Authorization
 16 | 
 17 | Authorization can be done on multiple levels, including
 18 | which products and versions are supported for a specific user.
 19 | 
 20 | ## Composite products
 21 | 
 22 | If a product consists of a set of products, each with a different
 23 | version number and update scheme, a TEA bundle will be the starting
 24 | point of discovery. The TEA bundle will list all included parts
 25 | and include pointers (URLs) to the TEA index for these.
 26 | 
 27 | The URL can be to a different vendor or different site with the
 28 | same vendor.
 29 | 
 30 | ## TEA Product object
 31 | 
 32 | A TEA Product object has the following parts:
 33 | 
 34 | - __uuid__: A unique identifier for the TEA product
 35 | - __name__: Product name
 36 | - __identifiers__: List of identifiers for the product
 37 |    - __idType__: Type of identifier, e.g. `tei`, `purl`, `cpe`
 38 |    - __idValue__: Identifier value
 39 | - __components__: List of TEA components for the product
 40 |    - __uuid__: Unique identifier of the TEA component
 41 | 
 42 | The TEA Component UUID is used in the Component API to find out which versions
 43 | of the Component that exists.
 44 | 
 45 | The goal of the TEA Product API is to provide a selection of product
 46 | versions to assist the user software in finding a match for the
 47 | owned version.
 48 | 
 49 | ### Example
 50 | 
 51 | An example of a product consisting of an OSS project and all its Maven artifacts:
 52 | 
 53 | ```json
 54 | {
 55 |   "uuid": "09e8c73b-ac45-4475-acac-33e6a7314e6d",
 56 |   "name": "Apache Log4j 2",
 57 |   "identifiers": [
 58 |     {
 59 |       "idType": "cpe",
 60 |       "idValue": "cpe:2.3:a:apache:log4j"
 61 |     },
 62 |     {
 63 |       "idType": "purl",
 64 |       "idValue": "pkg:maven/org.apache.logging.log4j/log4j-api"
 65 |     },
 66 |     {
 67 |       "idType": "purl",
 68 |       "idValue": "pkg:maven/org.apache.logging.log4j/log4j-core"
 69 |     },
 70 |     {
 71 |       "idType": "purl",
 72 |       "idValue": "pkg:maven/org.apache.logging.log4j/log4j-layout-template-json"
 73 |     }
 74 |   ],
 75 |   "components": [
 76 |     "3910e0fd-aff4-48d6-b75f-8bf6b84687f0",
 77 |     "b844c9bd-55d6-478c-af59-954a932b6ad3",
 78 |     "d6d3f754-d4f4-4672-b096-b994b064ca2d"
 79 |   ]
 80 | }
 81 | ```
 82 | 
 83 | ### API usage
 84 | 
 85 | The user will find this API end point using TEA discovery.
 86 | 
 87 | A user will approach the API just to discover data before purchase,
 88 | or with a specific product and product version in scope.
 89 | The format of the version may follow many syntaxes, so maybe
 90 | the API needs to be able to provide some sort of format
 91 | for the version string.
 92 | 
 93 | An automated system may want to provide the user with a GUI,
 94 | listing versions and being able to scroll to the next page
 95 | until the user selects a version.
 96 | 
 97 | ### Tea API operation
 98 | 
 99 | * Recommendation: Support HTTP compression
100 | * Recommendation: HTTP content negotiation
101 |   * Like "I prefer JSON, but can accept XML"
102 | * Pagination support
103 |   * max per page
104 |   * start page
105 |   * Default value defined
106 | 
107 | 
108 | 


--------------------------------------------------------------------------------