search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
363 stars 57 forks source link

[Defect]: Inconsistency in the CycloneDX v1.6 - `cryptoRefArray` #498

Closed n1ckl0sk0rtge closed 1 month ago

n1ckl0sk0rtge commented 3 months ago

Describe the defect

There is an inconsistency in the CycloneDX 1.6 spec implementation. The spec talks about cryptoRefArray being part of protocolProperties. https://github.com/CycloneDX/specification/blob/62a669075f1897193a14060e0784e6a7576b693d/schema/bom-1.6.schema.json#L5572-L5576

The 1.6.xsd schema definition does not specify them. https://github.com/CycloneDX/specification/blob/62a669075f1897193a14060e0784e6a7576b693d/schema/bom-1.6.xsd#L7301-L7303

also missing in ProtoBuf. https://github.com/CycloneDX/specification/blob/62a669075f1897193a14060e0784e6a7576b693d/schema/bom-1.6.proto#L2193

jkowalleck commented 3 months ago

report looks about right. or did I miss something?

stevespringett commented 2 months ago

@n1ckl0sk0rtge My understanding is that the defect is with the XML and Protobuf schemas. Is that correct? And if so, then the JSON schema is accurate, correct?

jkowalleck commented 2 months ago

possible fix: #502 please review