diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json
index fc18b818..1838b059 100644
--- a/schema/bom-1.5.schema.json
+++ b/schema/bom-1.5.schema.json
@@ -42,6 +42,7 @@
"type": "integer",
"title": "BOM Version",
"description": "Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.",
+ "minimum": 1,
"default": 1,
"examples": [1]
},
@@ -121,13 +122,20 @@
},
"definitions": {
"refType": {
- "$comment": "Identifier-DataType for interlinked elements.",
- "type": "string"
+ "description": "Identifier for referable and therefore interlink-able elements.",
+ "type": "string",
+ "minLength": 1,
+ "$comment": "value SHOULD not start with the BOM-Link intro 'urn:cdx:'"
+ },
+ "refLinkType": {
+ "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.",
+ "allOf": [{"$ref": "#/definitions/refType"}]
},
"bomLinkDocumentType": {
"title": "BOM-Link document",
"description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/",
"type": "string",
+ "format": "iri-reference",
"pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$",
"$comment": "part of the pattern is based on `bom.serialNumber`'s pattern"
},
@@ -135,6 +143,7 @@
"title": "BOM-Link element",
"description": "Descriptor for an element in another BOM document. See https://cyclonedx.org/capabilities/bomlink/",
"type": "string",
+ "format": "iri-reference",
"pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$",
"$comment": "part of the pattern is based on `bom.serialNumber`'s pattern"
},
@@ -1125,10 +1134,17 @@
"additionalProperties": false,
"properties": {
"url": {
- "type": "string",
+ "anyOf": [
+ {
+ "type": "string",
+ "format": "iri-reference"
+ },
+ {
+ "$ref": "#/definitions/bomLink"
+ }
+ ],
"title": "URL",
- "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs.",
- "format": "iri-reference"
+ "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."
},
"comment": {
"type": "string",
@@ -1199,7 +1215,7 @@
"additionalProperties": false,
"properties": {
"ref": {
- "$ref": "#/definitions/refType",
+ "$ref": "#/definitions/refLinkType",
"title": "Reference",
"description": "References a component by the components bom-ref attribute"
},
@@ -1207,7 +1223,7 @@
"type": "array",
"uniqueItems": true,
"items": {
- "$ref": "#/definitions/refType"
+ "$ref": "#/definitions/refLinkType"
},
"title": "Depends On",
"description": "The bom-ref identifiers of the components that are dependencies of this dependency object."
@@ -1362,8 +1378,15 @@
"source": {
"type": "array",
"items": {
- "type": "string",
- "format": "iri-reference"
+ "anyOf": [
+ {
+ "type": "string",
+ "format": "iri-reference"
+ },
+ {
+ "$ref": "#/definitions/bomLinkElementType"
+ }
+ ]
},
"title": "Source",
"description": "The URI, URL, or BOM-Link of the components or services the data came in from"
@@ -1371,8 +1394,15 @@
"destination": {
"type": "array",
"items": {
- "type": "string",
- "format": "iri-reference"
+ "anyOf": [
+ {
+ "type": "string",
+ "format": "iri-reference"
+ },
+ {
+ "$ref": "#/definitions/bomLinkElementType"
+ }
+ ]
},
"title": "Destination",
"description": "The URI, URL, or BOM-Link of the components or services the data is sent to"
@@ -1480,7 +1510,10 @@
"type": "array",
"uniqueItems": true,
"items": {
- "$ref": "#/definitions/refType"
+ "anyOf": [
+ {"$ref": "#/definitions/refLinkType"},
+ {"$ref": "#/definitions/bomLinkElementType"}
+ ]
},
"title": "BOM References",
"description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."
@@ -1600,7 +1633,10 @@
"type": "array",
"uniqueItems": true,
"items": {
- "$ref": "#/definitions/refType"
+ "anyOf": [
+ {"$ref": "#/definitions/refLinkType"},
+ {"$ref": "#/definitions/bomLinkElementType"}
+ ]
},
"title": "BOM references",
"description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."
@@ -2182,7 +2218,10 @@
"additionalProperties": false,
"properties": {
"ref": {
- "$ref": "#/definitions/refType",
+ "anyOf": [
+ {"$ref": "#/definitions/refLinkType"},
+ {"$ref": "#/definitions/bomLinkElementType"}
+ ],
"title": "Reference",
"description": "References a component or service by the objects bom-ref"
},
@@ -2275,7 +2314,10 @@
"type": "array",
"uniqueItems": true,
"items": {
- "$ref": "#/definitions/refType"
+ "anyOf": [
+ {"$ref": "#/definitions/refLinkType"},
+ {"$ref": "#/definitions/bomLinkElementType"}
+ ]
},
"title": "BOM References",
"description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."
@@ -2413,7 +2455,10 @@
"additionalProperties": false,
"properties": {
"ref": {
- "$ref": "#/definitions/refType",
+ "anyOf": [
+ {"$ref": "#/definitions/refLinkType"},
+ {"$ref": "#/definitions/bomLinkElementType"}
+ ],
"title": "Reference",
"description": "References a data component by the components bom-ref attribute"
}
diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd
index 9a1bc02b..cbdbaee3 100644
--- a/schema/bom-1.5.xsd
+++ b/schema/bom-1.5.xsd
@@ -37,9 +37,21 @@ limitations under the License.
- Identifier-DataType for interlinked elements.
+ Identifier for referable and therefore interlink-able elements.
-
+
+
+
+
+
+
+
+
+ Descriptor for an element identified by the attribute "bom-ref" in the same BOM document.
+ In contrast to `bomLinkElementType`.
+
+
+
@@ -49,9 +61,9 @@ limitations under the License.
See https://cyclonedx.org/capabilities/bomlink/
-
+
-
+
@@ -61,9 +73,9 @@ limitations under the License.
See https://cyclonedx.org/capabilities/bomlink/
-
+
-
+
@@ -1380,7 +1392,7 @@ limitations under the License.
-
+
The URI (URL or URN) to the external reference. External references
are URIs and therefore can accept any URL scheme including https, mailto, tel, and dns.
@@ -1389,6 +1401,9 @@ limitations under the License.
references into relationships that can be expressed in a BOM or across BOMs. Refer to:
https://cyclonedx.org/capabilities/bomlink/
+
+
+
@@ -1769,9 +1784,9 @@ limitations under the License.
-
+
- References a component or service by the its bom-ref attribute
+ References a component or service by its bom-ref attribute
@@ -1902,7 +1917,11 @@ limitations under the License.
-
+
+
+
+
+
@@ -1912,7 +1931,11 @@ limitations under the License.
-
+
+
+
+
+
@@ -2647,10 +2670,13 @@ limitations under the License.
-
+
References a data component by the components bom-ref attribute
+
+
+
@@ -3217,10 +3243,13 @@ limitations under the License.
-
+
- References a component or service by the its bom-ref attribute
+ References a component or service by its bom-ref attribute
+
+
+
@@ -3574,10 +3603,13 @@ limitations under the License.
-
+
References a component or service by the objects bom-ref.
+
+
+
@@ -5383,7 +5415,7 @@ limitations under the License.
-
+
Whenever an existing BOM is modified, either manually or through automated
processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with
diff --git a/tools/src/test/resources/1.5/invalid-component-ref-1.5.json b/tools/src/test/resources/1.5/invalid-component-ref-1.5.json
index c00f57d1..ed13f526 100644
--- a/tools/src/test/resources/1.5/invalid-component-ref-1.5.json
+++ b/tools/src/test/resources/1.5/invalid-component-ref-1.5.json
@@ -15,6 +15,12 @@
"bom-ref": "123",
"name": "acme-library",
"version": "1.0.0"
+ },
+ {
+ "type": "library",
+ "bom-ref": "",
+ "name": "acme-library",
+ "version": "1.0.0"
}
]
}
diff --git a/tools/src/test/resources/1.5/invalid-component-ref-1.5.xml b/tools/src/test/resources/1.5/invalid-component-ref-1.5.xml
index cb83d8fc..5c42a883 100644
--- a/tools/src/test/resources/1.5/invalid-component-ref-1.5.xml
+++ b/tools/src/test/resources/1.5/invalid-component-ref-1.5.xml
@@ -6,6 +6,12 @@
1.0.0
+
+ acme-library
+ 1.0.0
+
+
+
acme-library
1.0.0
diff --git a/tools/src/test/resources/1.5/invalid-dependency-1.5.json b/tools/src/test/resources/1.5/invalid-dependency-1.5.json
index 8b46f0d0..f4f52452 100644
--- a/tools/src/test/resources/1.5/invalid-dependency-1.5.json
+++ b/tools/src/test/resources/1.5/invalid-dependency-1.5.json
@@ -27,6 +27,12 @@
{
"dependsOn": []
},
+ {
+ "ref": "",
+ "dependsOn": [
+ "library-a"
+ ]
+ },
{
"ref": "library-b",
"dependsOn": [
diff --git a/tools/src/test/resources/1.5/invalid-dependency-1.5.xml b/tools/src/test/resources/1.5/invalid-dependency-1.5.xml
index 363956aa..f36722e5 100644
--- a/tools/src/test/resources/1.5/invalid-dependency-1.5.xml
+++ b/tools/src/test/resources/1.5/invalid-dependency-1.5.xml
@@ -15,9 +15,17 @@
-
+
+
+
+
+
+
+
-
+
+
+