Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency type definition in JSON Schema and XSD Schema are inconsistent #146

Open
ajbrown opened this issue May 11, 2022 · 2 comments · May be fixed by #158
Open

Dependency type definition in JSON Schema and XSD Schema are inconsistent #146

ajbrown opened this issue May 11, 2022 · 2 comments · May be fixed by #158

Comments

@ajbrown
Copy link

ajbrown commented May 11, 2022

The way dependency objects are defined differs between the XSD and the JSON schema and documentation. The published documentation and JSON schema define "dependsOn" as a list of BOM ref strings, whereas the XSD defines the "dependsOn" list as a list of dependency objects, which would allow them to be nested.

The inconsistency causes confusing expectations across languages / systems, as some allow for nested dependencies and others do not.

Additionally, it appears that the XSD defines an element called "dependencies" whereas the JSON schema calls it "dependsOn"

XSD Definition

    <xs:complexType name="dependencyType">
        <xs:sequence minOccurs="0" maxOccurs="unbounded">
            <xs:element name="dependency" type="bom:dependencyType"/>
        </xs:sequence>
        <xs:attribute name="ref" type="bom:refType" use="required">
            <xs:annotation>
                <xs:documentation>References a component or service by the its bom-ref attribute</xs:documentation>
            </xs:annotation>
        </xs:attribute>
        <xs:anyAttribute namespace="##other" processContents="lax">
            <xs:annotation>
                <xs:documentation>User-defined attributes may be used on this element as long as they
                    do not have the same name as an existing attribute used by the schema.</xs:documentation>
            </xs:annotation>
        </xs:anyAttribute>
    </xs:complexType>

JSON Schema Definition

"dependency": {
      "type": "object",
      "title": "Dependency",
      "description": "Defines the direct dependencies of a component. Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.",
      "required": [
        "ref"
      ],
      "additionalProperties": false,
      "properties": {
        "ref": {
          "$ref": "#/definitions/refType",
          "title": "Reference",
          "description": "References a component by the components bom-ref attribute"
        },
        "dependsOn": {
          "type": "array",
          "uniqueItems": true,
          "additionalItems": false,
          "items": {
            "$ref": "#/definitions/refType"
          },
          "title": "Depends On",
          "description": "The bom-ref identifiers of the components that are dependencies of this dependency object."
        }
      }
    }

Documentation:
Screen Shot 2022-05-11 at 12 43 28 PM

This stems from the issues raised in language libraries around nested dependencies:

@ajbrown
Copy link
Author

ajbrown commented May 11, 2022

Just as a note, it appears the field name difference is handled during (de)serialization by the 2 libraries I checked (Go, Java) so it seems there are no portability issues with that at the moment.

@madpah
Copy link

madpah commented Sep 13, 2022

Good spot @ajbrown - I just came across this working on cyclonedx-python-lib.

@stevespringett / @coderpatros - can we consider aligning the schemas more here, unless there is a good reason to require the difference?

madpah added a commit to madpah/specification that referenced this issue Sep 13, 2022
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Sep 13, 2022
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Sep 14, 2022
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Jan 23, 2023
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Jan 23, 2023
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Jan 27, 2023
…to workaround which breaks Dependency (de-)serialization for JSON

Signed-off-by: Paul Horton <[email protected]>
madpah added a commit to madpah/serializable that referenced this issue Jan 27, 2023
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Feb 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants