search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
361 stars 57 forks source link

All required properties should have `"minLength": 1` #461

Open Brcrwilliams opened 4 months ago

Brcrwilliams commented 4 months ago

If a property is required, it should also not be an empty string. There are many places in the BOM schema where we use "required": [...] but do not also verify that these properties have "minLength": 1.

An example is .components[].name: https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/schema/bom-1.6.schema.json#L831

It may be that optional properties should have this constraint as well. Consider the following example:

{
  "type": "library",
  "name": "whatever",
  "version": ""
}

If whatever does not have a version, it would be more clear if that key were to be omitted rather than provided as an empty string.

stevespringett commented 4 months ago

Thanks @Brcrwilliams. We'll add this to the 2.0 backlog.