From 633b4cc5ed9f97a86f7a2047f53b127cbd67b610 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sun, 4 Jun 2023 11:25:58 +0200 Subject: [PATCH 1/9] intro to explicitely linked elements Signed-off-by: Jan Kowalleck --- schema/bom-1.5.xsd | 50 +++++++++++++++---- .../1.5/invalid-component-ref-1.5.xml | 6 +++ .../resources/1.5/invalid-dependency-1.5.xml | 11 +++- 3 files changed, 56 insertions(+), 11 deletions(-) diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index 98237283..19eeb202 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -37,9 +37,21 @@ limitations under the License. - Identifier-DataType for interlinked elements. + Identifier-DataType for interlink-able elements. - + + + + + + + + + Descriptor for an element identified by the attribute "bom-ref" in the same BOM document. + In contrast to `bomLinkElementType`. + + + @@ -1339,7 +1351,7 @@ limitations under the License. - + The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https, mailto, tel, and dns. @@ -1348,6 +1360,9 @@ limitations under the License. references into relationships that can be expressed in a BOM or across BOMs. Refer to: https://cyclonedx.org/capabilities/bomlink/ + + + @@ -1728,7 +1743,7 @@ limitations under the License. - + References a component or service by the its bom-ref attribute @@ -1861,7 +1876,11 @@ limitations under the License. - + + + + + @@ -1871,7 +1890,11 @@ limitations under the License. - + + + + + @@ -2606,10 +2629,13 @@ limitations under the License. - + References a data component by the components bom-ref attribute + + + @@ -3171,10 +3197,13 @@ limitations under the License. - + References a component or service by the its bom-ref attribute + + + @@ -3528,10 +3557,13 @@ limitations under the License. - + References a component or service by the objects bom-ref. + + + diff --git a/tools/src/test/resources/1.5/invalid-component-ref-1.5.xml b/tools/src/test/resources/1.5/invalid-component-ref-1.5.xml index cb83d8fc..5c42a883 100644 --- a/tools/src/test/resources/1.5/invalid-component-ref-1.5.xml +++ b/tools/src/test/resources/1.5/invalid-component-ref-1.5.xml @@ -6,6 +6,12 @@ 1.0.0 + + acme-library + 1.0.0 + + + acme-library 1.0.0 diff --git a/tools/src/test/resources/1.5/invalid-dependency-1.5.xml b/tools/src/test/resources/1.5/invalid-dependency-1.5.xml index 363956aa..c888359d 100644 --- a/tools/src/test/resources/1.5/invalid-dependency-1.5.xml +++ b/tools/src/test/resources/1.5/invalid-dependency-1.5.xml @@ -15,9 +15,16 @@ - + + + + + + - + + + From eb8233490955aa27862a8cda255eebc2a37c362f Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sun, 4 Jun 2023 11:46:59 +0200 Subject: [PATCH 2/9] docs Signed-off-by: Jan Kowalleck --- schema/bom-1.5.xsd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index 19eeb202..3813a9da 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -37,7 +37,7 @@ limitations under the License. - Identifier-DataType for interlink-able elements. + Identifier for referable and therefore interlink-able elements. From 242730c1746fe7c84beaa72bd904ae5aca73805b Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 5 Jun 2023 08:37:04 +0200 Subject: [PATCH 3/9] bomLinks based on `anyURI` Signed-off-by: Jan Kowalleck --- schema/bom-1.5.xsd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index 3813a9da..b1344337 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -61,7 +61,7 @@ limitations under the License. See https://cyclonedx.org/capabilities/bomlink/ - + @@ -73,7 +73,7 @@ limitations under the License. See https://cyclonedx.org/capabilities/bomlink/ - + From 626dbbc824f7eb1ed011bedfa87a3dd8192b8698 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 5 Jun 2023 08:48:32 +0200 Subject: [PATCH 4/9] json types Signed-off-by: Jan Kowalleck --- schema/bom-1.5.schema.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json index 68e0abb9..f7530741 100644 --- a/schema/bom-1.5.schema.json +++ b/schema/bom-1.5.schema.json @@ -114,13 +114,20 @@ }, "definitions": { "refType": { - "$comment": "Identifier-DataType for interlinked elements.", - "type": "string" + "description": "Identifier for referable and therefore interlink-able elements.", + "type": "string", + "minLength": 1, + "$comment": "value SHOULD not start with the BOM-Link intro 'urn:cdx:'" + }, + "refLinkType": { + "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", + "allOf": [{"$ref": "#/definitions/refType"}] }, "bomLinkDocumentType": { "title": "BOM-Link document", "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", "type": "string", + "format": "iri-reference", "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" }, @@ -128,6 +135,7 @@ "title": "BOM-Link element", "description": "Descriptor for an element in another BOM document. See https://cyclonedx.org/capabilities/bomlink/", "type": "string", + "format": "iri-reference", "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" }, From e762bcaf24b7d86de8fa9976cc265cddfdb9034f Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 5 Jun 2023 09:38:55 +0200 Subject: [PATCH 5/9] typo Signed-off-by: Jan Kowalleck --- schema/bom-1.5.xsd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index b1344337..d120e0fc 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -1745,7 +1745,7 @@ limitations under the License. - References a component or service by the its bom-ref attribute + References a component or service by its bom-ref attribute @@ -3199,7 +3199,7 @@ limitations under the License. - References a component or service by the its bom-ref attribute + References a component or service by its bom-ref attribute From 444272455973674c00c77c3effffd0fff6c9a78b Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 5 Jun 2023 09:39:03 +0200 Subject: [PATCH 6/9] json schema Signed-off-by: Jan Kowalleck --- schema/bom-1.5.schema.json | 64 +++++++++++++++++++++++++++++--------- 1 file changed, 50 insertions(+), 14 deletions(-) diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json index f7530741..4319d0af 100644 --- a/schema/bom-1.5.schema.json +++ b/schema/bom-1.5.schema.json @@ -1117,10 +1117,17 @@ "additionalProperties": false, "properties": { "url": { - "type": "string", + "anyOf": [ + { + "type": "string", + "format": "iri-reference" + }, + { + "$ref": "#/definitions/bomLink" + } + ], "title": "URL", - "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs.", - "format": "iri-reference" + "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." }, "comment": { "type": "string", @@ -1186,7 +1193,7 @@ "additionalProperties": false, "properties": { "ref": { - "$ref": "#/definitions/refType", + "$ref": "#/definitions/refLinkType", "title": "Reference", "description": "References a component by the components bom-ref attribute" }, @@ -1194,7 +1201,7 @@ "type": "array", "uniqueItems": true, "items": { - "$ref": "#/definitions/refType" + "$ref": "#/definitions/refLinkType" }, "title": "Depends On", "description": "The bom-ref identifiers of the components that are dependencies of this dependency object." @@ -1349,8 +1356,15 @@ "source": { "type": "array", "items": { - "type": "string", - "format": "iri-reference" + "anyOf": [ + { + "type": "string", + "format": "iri-reference" + }, + { + "$ref": "#/definitions/bomLinkElementType" + } + ] }, "title": "Source", "description": "The URI, URL, or BOM-Link of the components or services the data came in from" @@ -1358,8 +1372,15 @@ "destination": { "type": "array", "items": { - "type": "string", - "format": "iri-reference" + "anyOf": [ + { + "type": "string", + "format": "iri-reference" + }, + { + "$ref": "#/definitions/bomLinkElementType" + } + ] }, "title": "Destination", "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" @@ -1467,7 +1488,10 @@ "type": "array", "uniqueItems": true, "items": { - "$ref": "#/definitions/refType" + "anyOf": [ + {"$ref": "#/definitions/refLinkType"}, + {"$ref": "#/definitions/bomLinkElementType"} + ] }, "title": "BOM References", "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." @@ -1587,7 +1611,10 @@ "type": "array", "uniqueItems": true, "items": { - "$ref": "#/definitions/refType" + "anyOf": [ + {"$ref": "#/definitions/refLinkType"}, + {"$ref": "#/definitions/bomLinkElementType"} + ] }, "title": "BOM references", "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." @@ -2167,7 +2194,10 @@ "additionalProperties": false, "properties": { "ref": { - "$ref": "#/definitions/refType", + "anyOf": [ + {"$ref": "#/definitions/refLinkType"}, + {"$ref": "#/definitions/bomLinkElementType"} + ], "title": "Reference", "description": "References a component or service by the objects bom-ref" }, @@ -2260,7 +2290,10 @@ "type": "array", "uniqueItems": true, "items": { - "$ref": "#/definitions/refType" + "anyOf": [ + {"$ref": "#/definitions/refLinkType"}, + {"$ref": "#/definitions/bomLinkElementType"} + ] }, "title": "BOM References", "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs." @@ -2398,7 +2431,10 @@ "additionalProperties": false, "properties": { "ref": { - "$ref": "#/definitions/refType", + "anyOf": [ + {"$ref": "#/definitions/refLinkType"}, + {"$ref": "#/definitions/bomLinkElementType"} + ], "title": "Reference", "description": "References a data component by the components bom-ref attribute" } From f71582dd1bd1457ac16d8775a55c4c1a31a48c8a Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 5 Jun 2023 09:44:52 +0200 Subject: [PATCH 7/9] tests Signed-off-by: Jan Kowalleck --- tools/src/test/resources/1.5/invalid-component-ref-1.5.json | 6 ++++++ tools/src/test/resources/1.5/invalid-dependency-1.5.json | 6 ++++++ tools/src/test/resources/1.5/invalid-dependency-1.5.xml | 1 + 3 files changed, 13 insertions(+) diff --git a/tools/src/test/resources/1.5/invalid-component-ref-1.5.json b/tools/src/test/resources/1.5/invalid-component-ref-1.5.json index c00f57d1..ed13f526 100644 --- a/tools/src/test/resources/1.5/invalid-component-ref-1.5.json +++ b/tools/src/test/resources/1.5/invalid-component-ref-1.5.json @@ -15,6 +15,12 @@ "bom-ref": "123", "name": "acme-library", "version": "1.0.0" + }, + { + "type": "library", + "bom-ref": "", + "name": "acme-library", + "version": "1.0.0" } ] } diff --git a/tools/src/test/resources/1.5/invalid-dependency-1.5.json b/tools/src/test/resources/1.5/invalid-dependency-1.5.json index 8b46f0d0..f4f52452 100644 --- a/tools/src/test/resources/1.5/invalid-dependency-1.5.json +++ b/tools/src/test/resources/1.5/invalid-dependency-1.5.json @@ -27,6 +27,12 @@ { "dependsOn": [] }, + { + "ref": "", + "dependsOn": [ + "library-a" + ] + }, { "ref": "library-b", "dependsOn": [ diff --git a/tools/src/test/resources/1.5/invalid-dependency-1.5.xml b/tools/src/test/resources/1.5/invalid-dependency-1.5.xml index c888359d..f36722e5 100644 --- a/tools/src/test/resources/1.5/invalid-dependency-1.5.xml +++ b/tools/src/test/resources/1.5/invalid-dependency-1.5.xml @@ -20,6 +20,7 @@ + From 145d4adbcd83caa26921900cc659557b2c81bad8 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 5 Jun 2023 09:54:53 +0200 Subject: [PATCH 8/9] make `bom.version` a positive integer, was integer Signed-off-by: Jan Kowalleck --- schema/bom-1.5.schema.json | 1 + schema/bom-1.5.xsd | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json index 4319d0af..b6c2eadd 100644 --- a/schema/bom-1.5.schema.json +++ b/schema/bom-1.5.schema.json @@ -42,6 +42,7 @@ "type": "integer", "title": "BOM Version", "description": "Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.", + "minimum": 1, "default": 1, "examples": [1] }, diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index d120e0fc..dcfbaf33 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -4100,7 +4100,7 @@ limitations under the License. - + Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with From 4965ffcc4ab632baee9f52848e57c2843b2863a4 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 5 Jun 2023 23:45:26 +0200 Subject: [PATCH 9/9] streamlined `bomLink` regex Signed-off-by: Jan Kowalleck --- schema/bom-1.5.xsd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index dcfbaf33..4dd32a06 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -63,7 +63,7 @@ limitations under the License. - + @@ -75,7 +75,7 @@ limitations under the License. - +