OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
enum Enum {
A = 0;
B = 1;
}
message Msg {
optional Enum enum = 1;
}
Closed enums will parse the value 2 and store it in the message’s unknown field set. Accessors will report the field as being unset and will return the enum’s default value.
Therefore, enum value of 0 MUST be revisited.
The CDX v1.x protobuf schema has default values for enums, where XML/JSON does not.
And this is for the fact, that protobuf schema uses value 0, where it should not.
When these enum values would be changed, this would be a breaking change.
per proto3 schema definition, enum values of
0
are, per definition, used as "unspecified" or "fallback" values.see https://protobuf.dev/programming-guides/enum/
Therefore, enum value of
0
MUST be revisited.The CDX v1.x protobuf schema has default values for enums, where XML/JSON does not. And this is for the fact, that protobuf schema uses value
0
, where it should not.When these enum values would be changed, this would be a breaking change.
This is a followup of https://github.com/CycloneDX/specification/pull/385
examples for wrong usage of
0
in enums:EvidenceTechnique
defaults toEVIDENCE_TECHNIQUE_SOURCE_CODE_ANALYSIS
https://github.com/CycloneDX/specification/blob/8af880d5f2ba0a107de88a920a76cedd5ba75083/schema/bom-1.5.proto#L720-L731
ModelParameterApproachType
defaults toMODEL_PARAMETER_APPROACH_TYPE_SUPERVISED
https://github.com/CycloneDX/specification/blob/8af880d5f2ba0a107de88a920a76cedd5ba75083/schema/bom-1.5.proto#L1096-L1102
ComponentDataType
defaults toCOMPONENT_DATA_TYPE_SOURCE_CODE
https://github.com/CycloneDX/specification/blob/8af880d5f2ba0a107de88a920a76cedd5ba75083/schema/bom-1.5.proto#L1150-L1161