OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
If a property is required, it should also not be an empty string. There are many places in the BOM schema where we use "required": [...] but do not also verify that these properties have "minLength": 1.
If a property is required, it should also not be an empty string. There are many places in the BOM schema where we use
"required": [...]
but do not also verify that these properties have"minLength": 1
.An example is
.components[].name
: https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/schema/bom-1.6.schema.json#L831It may be that optional properties should have this constraint as well. Consider the following example:
If
whatever
does not have a version, it would be more clear if that key were to be omitted rather than provided as an empty string.