schema: refactor data/threat models and refresh bundles

[P3tra-WP]

Title:
Refactor data/threat modeling schemas and regenerate bundles

Description:
This PR updates the data and threat modeling schemas to improve consistency, reuse, and explicit linkage across models, and regenerates bundled schemas.

What changed

Data classification refactor:
Moved detailed dataClassification into the shared data model.
dataClassification now supports: enum string, custom string, or detailed object.
Detailed object uses dataCategory for dataTypes.
Data objects and categories:
dataObject and dataCategory moved to cyclonedx-data-2.0.schema.json.
dataSet.dataObjects now references shared dataObject definitions.
Flow metadata consolidation:
Removed flow.dataFormat and flow.classification; flows reference dataObjects for these details.
Threat model enhancements:
Added vulnerabilityRef on threatScenario to link threats to vulnerabilities.
Added ibmRiskAtlas reference object.
CAPEC references already supported via attackPattern / attackPatternReference.
Risk model fixups:
Added missing likelihoodFactor definition.
Blueprint schema fixups:
Moved actor into $defs and added accessControlType alias to authorizationType.
Enforced dataObject classification via oneOf (inline vs ref).
Bundled outputs regenerated:
cyclonedx-2.0-bundled.schema.json
cyclonedx-2.0-bundled.min.schema.json
cyclonedx-api-2.0-bundled.schema.json
cyclonedx-api-2.0-bundled.min.schema.json
Notes

Bundler warns about missing 2020-12 meta-schema in AJV (existing behavior).
Testing

Bundled schemas regenerated via bundle-schemas.js.

[Copilot]

Pull request overview

This PR refactors the data and threat modeling schemas to improve consistency, reuse, and explicit linkage across models. The changes consolidate data classification logic into a shared data model, add new threat model references (vulnerabilityRef and ibmRiskAtlas), fix missing risk model definitions, and reorganize the blueprint schema structure.

Changes:

• Enhanced threat modeling with vulnerabilityRef and ibmRiskAtlasReference support
• Refactored dataClassification to support enum strings, custom strings, or detailed objects with comprehensive metadata
• Consolidated dataObject and dataCategory definitions into the shared cyclonedx-data-2.0 schema
• Reorganized blueprint schema by moving actor into $defs and adding accessControlType alias
• Regenerated bundled schemas to reflect all structural changes

Reviewed changes

Copilot reviewed 4 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
cyclonedx-threat-2.0.schema.json	Added vulnerabilityRef and ibmRiskAtlasReference to threatScenario
cyclonedx-risk-2.0.schema.json	Added missing likelihoodFactor definition
cyclonedx-data-2.0.schema.json	Refactored dataClassification with detailed metadata, added dataCategory and dataObject definitions
cyclonedx-blueprint-2.0.schema.json	Moved actor to $defs, updated references to use shared data model definitions, removed duplicate definitions
cyclonedx-api-2.0-bundled.min.schema.json	Regenerated bundled schema incorporating all changes

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.