-
-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Description of metadata.supplier
is confusing
#345
Comments
I was told, that use case: you have an agency producing your documentation artifact.
PS: since the current docs state otherwise than it was meant, the mentioned facts would be a breaking-change. |
fix CycloneDX#345 CycloneDX#273 Signed-off-by: Jan Kowalleck <[email protected]>
see a discussion result from the CoreWorkingGroup here: #379 (comment)
|
@stevespringett lets move this one to 1.7 |
see #521
|
any ideas how that new field should be named? |
I think we need to seriously consider a minor, but breaking change in the 1.7 release and capture that change in the release notes. |
A breaking change just for the fact that the preferred name of a field is not free anymore? I do not like this. CycloneDX is about the data and the specification. |
As of v1.5, the description of
metadata.supplier
states:specification/schema/bom-1.5.schema.json
Lines 268 to 271 in 299209a
This is in addition to
metadata.component.supplier
, which states:specification/schema/bom-1.5.schema.json
Lines 430 to 434 in 299209a
Based on those descriptions, it is unclear what the subject of
metadata.supplier
is.metadata.component
is the component that the BOM describes, meaningmetadata.component.supplier
would be the same asmetadata.supplier
.As discussed in this Slack thread, it seems that
metadata.supplier
describes the supplier of the BOM itself. If that is the case, the schema documentation should be updated to include this fact.The text was updated successfully, but these errors were encountered: