Open Nicolas-Peiffer opened 2 weeks ago
Thanks for the PR. I think the addition of an xmlcatalog is fine, however, I don't think that /schema
is the proper place to put it. Every file in that directory is part of the CycloneDX specification or supports it directly. Adding a file that is not part of the specification seems odd to me. Does this belong in /tools/src/test/resources/schema
perhaps?
Every file in that directory is part [
schema/
] of the CycloneDX specification or supports it directly.
One could say that the XML catalogs directly supports the CycloneDX specification XSD files by providing a way to bind local filepath with schema URI / namespace, even in an environment disconnected from the internet. So in that sense, the XML catalog file schema/xmlcatalog.xml
should be under schema/
, because it is part of the schema name resolution.
But the content of the xmlcatalog.xml
file depends on paths... So if you move the file xmlcatalog.xml
and or move the XSD files, you need to adjust path in xmlcatalog.xml
.
Does this belong in
/tools/src/test/resources/schema
perhaps?
I personally do not consider the xmlcatalog.xml
to be a test resource.
Lets compare XSD files from https://github.com/CycloneDX/cyclonedx-go/
and https://github.com/CycloneDX/specification
.
I notice the schemaLocation
fields for SPDX XSD are different depending on the project:
Project | schemaLocation for SPDX XSD |
---|---|
github.com/CycloneDX/specification | schemaLocation="http://cyclonedx.org/schema/spdx |
github.com/CycloneDX/cyclonedx-go | schemaLocation="spdx.xsd |
github.com/CycloneDX/cyclonedx-core-java | schemaLocation="http://cyclonedx.org/schema/spdx" |
github.com/CycloneDX/cyclonedx-python-lib | schemaLocation="spdx.SNAPSHOT.xsd" |
CycloneDX/cyclonedx-python-lib
even gives an explanation in CycloneDX/cyclonedx-python-lib/cyclonedx/schema/_res/README.md
to what modifications are made between the repo CycloneDX/specification
and the python one.
This makes more difficult to use the CycloneDX schemas, as there are as many CycloneDX schemas as there are implementation.
Below are the results of commands:
git clone github.com/CycloneDX/cyclonedx-go
git clone github.com/CycloneDX/specification
diff cyclonedx-go/schema/bom-1.x.xsd specification/schema/bom-1.x.xsd
diff cyclonedx-go/schema/bom-1.0.xsd specification/schema/bom-1.0.xsd
q12c12
< <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>
---
> <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
diff cyclonedx-go/schema/bom-1.1.xsd specification/schema/bom-1.1.xsd
27c27
< <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>
---
> <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
diff cyclonedx-go/schema/bom-1.2.xsd specification/schema/bom-1.2.xsd
27c27
< <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>
---
> <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
diff cyclonedx-go/schema/bom-1.3.xsd specification/schema/bom-1.3.xsd
27c27
< <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>
---
> <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
diff cyclonedx-go/schema/bom-1.4.xsd specification/schema/bom-1.4.xsd
27c27
< <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>
---
> <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
diff cyclonedx-go/schema/bom-1.5.xsd specification/schema/bom-1.5.xsd
diff cyclonedx-go/schema/bom-1.6.xsd specification/schema/bom-1.6.xsd
27c27
< <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>
---
> <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
2421c2421
< object or an array of identity objects. Support for specifying identify as a single object was
---
> object or an array of identity objects. Support for specifying identity as a single object was
github.com/CycloneDX/specification
in the Java, Go and Python CycloneDX implementationUsing a git submodule would streamlined the JSON Schema and XSD files across all CycloneDX implementations.
This would also streamlined valid-
and invalid-
sample JSON and XML BOM files from CycloneDX/specification/tools/src/test/resources
across the Java, Go and Python CycloneDX implementation, making unit tests easier to maintain over time and projects.
Adding an XML catalog file and corresponding Java unit tests to validate the XML catalog content match local XSD file content.
Please see also: https://github.com/CycloneDX/specification/pull/477
I needed to modify the
pom.xml
to include the path to theschema/
folder. This might not be a Java/maven best practice, but given how the folders are organised, I have no other solutions without changing the folders location:Java unit tests seem okay, see picture below: