search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
361 stars 57 forks source link

Consider making specVersion an integer with validations #438

Open prabhu opened 5 months ago

prabhu commented 5 months ago

Currently specVersion is a string. This is creating confusion when consuming tools treat this value as both string and integer.

Example:

https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/925b04fdd74e4e412e1cc06d7fad9e7a102e329c/src/main/java/org/cyclonedx/maven/DefaultModelConverter.java#L236

https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/925b04fdd74e4e412e1cc06d7fad9e7a102e329c/src/it/makeBom/verify.groovy#L11

https://github.com/DependencyTrack/dependency-track/blob/b40ea44864d006079d38a8d159c2d9d1c5fb04f7/src/main/java/org/dependencytrack/model/Vex.java#L131

jkowalleck commented 5 months ago

I suppose the JSON examples are mere examples, and the intention should also be reflected in XML and ProtoBuf?

jkowalleck commented 3 months ago

see also the discussion here: https://github.com/CycloneDX/specification/discussions/476