search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
338 stars 57 forks source link

`component.evidence` is repeated in proto and object in jsonschema #422

Open prabhu opened 2 months ago

prabhu commented 2 months ago

Looks like this got missed somehow

I think it must be optional in the proto as well.

https://github.com/CycloneDX/specification/blob/master/schema/bom-1.6.proto#L136

https://github.com/CycloneDX/specification/blob/master/schema/bom-1.6.schema.json#L2079

Originally reported here

jkowalleck commented 2 months ago

confirmed.

in ProtoBuf is it a repeated (optional) element: https://github.com/CycloneDX/specification/blob/55343ba19dee1785acf1ce9191540d5fd7b590db/schema/bom-1.6.proto#L135-L136

in JSON it is a single optional element: https://github.com/CycloneDX/specification/blob/55343ba19dee1785acf1ce9191540d5fd7b590db/schema/bom-1.6.schema.json#L1061-L1065 in XML ti is a single optional element: https://github.com/CycloneDX/specification/blob/55343ba19dee1785acf1ce9191540d5fd7b590db/schema/bom-1.6.xsd#L680-L684

i agree, there is a difference.

jkowalleck commented 2 months ago

https://github.com/CycloneDX/specification/issues/272#issuecomment-1869972139

Actually, the defect is in the JSON and XML schemas. In this case, the protobuf is correct. Identity should be an array.

jkowalleck commented 2 months ago

@stevespringett so we make the JSON/XML being a list?

prabhu commented 2 months ago

@jkowalleck I thought only evidence.identity becomes an array, while evidence continued to be an object.

jkowalleck commented 2 months ago

@jkowalleck I thought only evidence.identity becomes an array, while evidence continued to be an object.

i see. proposed a PR to fix it: https://github.com/CycloneDX/specification/pull/425