feat: support CycloneDX 1.6.1 (#742)

Signed-off-by: Jan Kowalleck <[email protected]>

cyclonedx/schema/_res/README.md

@@ -4,7 +4,7 @@ some schema for offline use as download via [script](../../../tools/schema-downl
 original sources: <https://github.com/CycloneDX/specification/tree/master/schema>
 
 Currently using version
-[5f3ee8066491d31ec6a6d02968243d9688d7e49c](https://github.com/CycloneDX/specification/commit/5f3ee8066491d31ec6a6d02968243d9688d7e49c)
+[8a27bfd1be5be0dcb2c208a34d2f4fa0b6d75bd7](https://github.com/CycloneDX/specification/commit/8a27bfd1be5be0dcb2c208a34d2f4fa0b6d75bd7)
 
 | file | note |
 |------|------|

tests/_data/schemaTestData/1.6/invalid-bomformat-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "AnotherFormat",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-component-ref-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
@@ -10,12 +11,6 @@
       "name": "acme-library",
       "version": "1.0.0"
     },
-    {
-      "type": "library",
-      "bom-ref": "123",
-      "name": "acme-library",
-      "version": "1.0.0"
-    },
     {
       "type": "library",
       "bom-ref": "",

tests/_data/schemaTestData/1.6/invalid-component-ref-1.6.xml

@@ -10,6 +10,10 @@
                     <name>acme-library</name>
                     <version>1.0.0</version>
                 </component>
+                <component type="library" bom-ref="123">
+                    <name>acme-library2</name>
+                    <version>1.0.0</version>
+                </component>
                 <component type="library" bom-ref="">
                     <!-- empty value in attribute `bom-ref` -->
                     <name>acme-library</name>

tests/_data/schemaTestData/1.6/invalid-component-swid-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-component-type-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-dependency-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-empty-component-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-hash-alg-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-hash-md5-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-hash-sha1-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-hash-sha256-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-hash-sha512-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-issue-type-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-license-choice-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-license-encoding-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-license-id-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-license-missing-id-and-name-1.6.json

@@ -1,10 +1,12 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "components": [
     {
+      "type": "library",
       "name": "license-with-no-id-nor-name",
       "version": "23",
       "description": "testcase for issue#288",

tests/_data/schemaTestData/1.6/invalid-metadata-license-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-metadata-timestamp-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-missing-component-type-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-patch-type-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-properties-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:bcb403ae-91fa-436e-bc93-84d1078cdeed",

tests/_data/schemaTestData/1.6/invalid-scope-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/invalid-serialnumber-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f",

tests/_data/schemaTestData/1.6/invalid-service-data-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/valid-annotation-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
@@ -76,6 +77,13 @@
             "name": "Partner Org",
             "url": [
               "https://partner.org"
+            ],
+            "contact" : [
+              {
+                "name": "Support",
+                "email": "[email protected]",
+                "phone": "800-555-1212"
+              }
             ]
           },
           "group": "org.partner",

tests/_data/schemaTestData/1.6/valid-annotation-1.6.xml

@@ -21,7 +21,7 @@
                     </contact>
                 </organization>
             </annotator>
-            <timestamp>2020-04-07T07:01:00Z</timestamp>
+            <timestamp>2022-01-01T00:00:00Z</timestamp>
             <text>This is a sample annotation made by an organization</text>
         </annotation>
         <annotation bom-ref="annotation-2">
@@ -35,8 +35,8 @@
                     <phone>800-555-1212</phone>
                 </individual>
             </annotator>
-            <timestamp>2020-04-07T07:01:00Z</timestamp>
-            <text>This is a sample annotation made by an person</text>
+            <timestamp>2022-01-01T00:00:00Z</timestamp>
+            <text>This is a sample annotation made by a person</text>
         </annotation>
         <annotation bom-ref="annotation-3">
             <subjects>
@@ -48,7 +48,7 @@
                     <version>9.1.2</version>
                 </component>
             </annotator>
-            <timestamp>2020-04-07T07:01:00Z</timestamp>
+            <timestamp>2022-01-01T00:00:00Z</timestamp>
             <text>This is a sample annotation made by a component</text>
         </annotation>
         <annotation bom-ref="annotation-4">
@@ -62,7 +62,7 @@
                         <url>https://partner.org</url>
                         <contact>
                             <name>Support</name>
-                            <email>support@partner</email>
+                            <email>support@partner.org</email>
                             <phone>800-555-1212</phone>
                         </contact>
                     </provider>
@@ -76,11 +76,11 @@
                     <authenticated>true</authenticated>
                     <x-trust-boundary>true</x-trust-boundary>
                     <data>
-                        <classification flow="bi-directional">pubic</classification>
+                        <classification flow="bi-directional">public</classification>
                     </data>
                 </service>
             </annotator>
-            <timestamp>2020-04-07T07:01:00Z</timestamp>
+            <timestamp>2022-01-01T00:00:00Z</timestamp>
             <text>This is a sample annotation made by a service</text>
         </annotation>
     </annotations>

tests/_data/schemaTestData/1.6/valid-assembly-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/valid-attestation-1.6.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",

tests/_data/schemaTestData/1.6/valid-attestation-1.6.xml

@@ -3,9 +3,9 @@
     <declarations>
         <assessors>
             <assessor bom-ref="assessor-1">
-                <thirdParty>false</thirdParty>
+                <thirdParty>true</thirdParty>
                 <organization>
-                    <name>Acme Inc</name>
+                    <name>Assessors Inc</name>
                 </organization>
             </assessor>
         </assessors>
@@ -25,7 +25,7 @@
                         <score>0.8</score>
                         <rationale>Conformance rationale here</rationale>
                         <mitigationStrategies>
-                            <mitigationStrategy>mitigations-1</mitigationStrategy>
+                            <mitigationStrategy>mitigationStrategy-1</mitigationStrategy>
                         </mitigationStrategies>
                     </conformance>
                     <confidence>
@@ -110,7 +110,7 @@
                     <contents>
                         <attachment content-type="text/plain">Mitigation strategy here</attachment>
                     </contents>
-                    <classification>Public</classification>
+                    <classification>Company Confidential</classification>
                     <sensitiveData>Describe sensitive data here</sensitiveData>
                 </data>
                 <created>2023-04-25T00:00:00+00:00</created>

tests/_data/schemaTestData/1.6/valid-bom-1.6.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
     <metadata>
-        <timestamp>2020-04-07T07:01:00Z</timestamp>
+        <timestamp>2020-04-13T20:20:39+00:00</timestamp>
         <tools>
             <tool>
                 <vendor>Awesome Vendor</vendor>
@@ -46,7 +46,7 @@
         </supplier>
     </metadata>
     <components>
-        <component type="application">
+        <component type="application" bom-ref="pkg:maven/com.acme/[email protected]?packaging=jar">
             <author>Joane Doe et al.</author>
             <publisher>Acme Inc</publisher>
             <group>com.acme</group>
@@ -90,7 +90,7 @@
                         <uid>7638417db6d59f3c431d3e1f261cc637155684cd</uid>
                         <url>https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd</url>
                         <author>
-                            <timestamp>2018-11-07T22:01:45Z</timestamp>
+                            <timestamp>2018-11-13T20:20:39+00:00</timestamp>
                             <name>John Doe</name>
                             <email>[email protected]</email>
                         </author>
@@ -105,9 +105,9 @@
                 <notes>Commentary here</notes>
             </pedigree>
         </component>
-        <component type="library">
+        <component type="library" bom-ref="pkg:maven/com.example/[email protected]?packaging=war">
             <supplier>
-                <name>Example Inc.</name>
+                <name>Example, Inc.</name>
                 <url>https://example.com</url>
                 <url>https://example.net</url>
                 <contact>
@@ -121,7 +121,7 @@
                 </contact>
             </supplier>
             <manufacturer>
-                <name>Example-2, Inc.Example-2, Inc.</name>
+                <name>Example-2, Inc.</name>
                 <url>https://example.org</url>
                 <contact>
                     <email>[email protected]</email>
@@ -195,4 +195,9 @@
             </externalReferences>
         </component>
     </components>
+    <dependencies>
+        <dependency ref="pkg:maven/com.acme/[email protected]?packaging=jar">
+            <dependency ref="pkg:maven/com.example/[email protected]?packaging=war"/>
+        </dependency>
+    </dependencies>	
 </bom>

tests/_data/schemaTestData/1.6/valid-component-data-1.6.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:1b1bff0e-fdb9-4088-8b9a-1a9f2d9006da",
+  "version": 1,
+  "components": [
+    {
+      "type": "data",
+      "name": "my-configs",
+      "version": "1337",
+      "data": [
+        {
+          "type": "configuration",
+          "name": "app.ini",
+          "contents": {
+            "url": "https://example.com/cfg/1337/app.ini"
+          }
+        },
+        {
+          "type": "other",
+          "name": ".env",
+          "contents": {
+            "url": "https://example.com/cfg/1337/env"
+          }
+        }
+      ]
+    }
+  ]
+}