Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: decouple metadata from its component #379

Conversation

jkowalleck
Copy link
Member

@jkowalleck jkowalleck commented Feb 14, 2024

The following changes were made with the intent to not introduce breaking changes,
neither syntactic nor semantic(!)

Changes


TODO

  • update JSON schema
  • update XSD
  • update protobuff schema
  • add examples and test resources

Follow up tasks

- add `component.manufacturer`
- add `component.authors`
- deprecate `component.author` in favour of `component.authors` and `component.manufacturer`
- deprecate `metatada.manufature` in favour of `metadata.component.manufacturer`
- deprecate `metadata.supplier` in favour of `metadata.component.supplier`

Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck jkowalleck added this to the 1.6 milestone Feb 14, 2024
@jkowalleck jkowalleck changed the title feat: devide metadata from its component [DRAFT] feat: devide metadata from its component Feb 14, 2024
@jkowalleck
Copy link
Member Author

current state supersedes #370 #372
current state is a basis for further discussions.

@jkowalleck jkowalleck changed the title [DRAFT] feat: devide metadata from its component [DRAFT] feat: decouple metadata from its component Feb 14, 2024
@jkowalleck
Copy link
Member Author

jkowalleck commented Feb 15, 2024

originally i had planned
the following:

in a discussion with members of the CoreWorkingGroup, they told to do the following instead:

  • state in the description, that metadata.supplier so that it stated that the field has different meaning per spec version.
    • < 1.6, the meaning was "supplier of the component described by the BOM" (old/legacy)
    • >= 1.6, the meaning will be "supplier of the BOM"
      previous capability would be shifted to in favour of metadata.component.supplier

the proposal would cause breaking semantic changes. I do not want to bring any breaking change into the spec.
Therefore I will drop the aspect 'supplier' entirely from this PR.

@nscuro
Copy link
Member

nscuro commented Feb 16, 2024

the proposal would cause breaking semantic changes. I do not want to bring any breaking change into the spec.
Therefore I will drop the aspect 'supplier' entirely from this PR.

Are you referring to the original proposal, the proposal of the ICWG, or both? Reads like the latter.

@jkowalleck
Copy link
Member Author

jkowalleck commented Feb 16, 2024

the proposal would cause breaking semantic changes. I do not want to bring any breaking change into the spec.
Therefore I will drop the aspect 'supplier' entirely from this PR.

Are you referring to the original proposal, the proposal of the IWG, or both? Reads like the latter.

The latter one. The idea from the CWG would include breaking changes, literally.
My original proposal would be no breaking in no way.

Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck jkowalleck marked this pull request as ready for review February 20, 2024 23:08
@jkowalleck jkowalleck requested a review from a team as a code owner February 20, 2024 23:08
@jkowalleck jkowalleck changed the title [DRAFT] feat: decouple metadata from its component feat: decouple metadata from its component Feb 20, 2024
Signed-off-by: Jan Kowalleck <[email protected]>
@stevespringett stevespringett added promote to tc54 Promote to Ecma Technical Committee 54 tc54 reviewed Ecma TC54 has reviewed the feature candidate tc54 accepted Ecma TC54 has accepted the feature candidate labels Feb 21, 2024
@stevespringett stevespringett merged commit 2734b3f into CycloneDX:1.6-dev Feb 22, 2024
7 checks passed
stevespringett added a commit that referenced this pull request Apr 9, 2024
## Added

* Core enhancement: Attestation
([#192](#192) via
[#348](#348))
* Core enhancement: Cryptography Bill of Materials — CBOM
([#171](#171),
[#291](#291) via
[#347](#347))
* Feature to express the URL to source distribution
([#98](#98) via
[#269](#269))
* Feature to express the URL to RFC 9116 compliant documents
([#380](#380) via
[#381](#381))
* Feature to express tags/keywords for services and components (via
[#383](#383))
* Feature to express details for component authors
([#335](#335) via
[#379](#379))
* Feature to express details for component and BOM manufacturer
([#346](#346) via
[#379](#379))
* Feature to express communicate concluded values from observed
evidences ([#411](#411)
via [#412](#412))
* Features to express license acknowledgement
([#407](#407) via
[#408](#408))
* Feature to express environmental consideration information for model
cards ([#396](#396) via
[#395](#395))
* Feature to express the address of organizational entities (via
[#395](#395))
* Feature to express additional component identifiers: Universal Bill Of
Receipts Identifier and Software Heritage persistent IDs
([#413](#413) via
[#414](#414))

## Fixed

* Allow multiple evidence identities by XML/JSON schema
([#272](#272) via
[#359](#359))
  This was already correct via ProtoBuff schema.
* Prevent empty `license` entities by XML schema
([#288](#288) via
[#292](#292))
  This was already correct in JSON/ProtoBuff schema.
* Prevent empty or malformed `property` entities by JSON schema
([#371](#371) via
[#375](#375))
  This was already correct in XML/ProtoBuff schema.
* Allow multiple `licenses` in `Metadata` by ProtoBuff schema
([#264](#264) via
[#401](#401))
  This was already correct in XML/JSON schema.

## Changed

* Allow arbitrary `$schema` values by JSON schema
([#402](#402) via
[#403](#403))
* Increased max length of `versionRange` (via
[`3e01ce6`](3e01ce6))
* Harmonized length of `version` (via
[#417](#417))

## Deprecated

* Data model "Component"'s field `author` was deprecated. (via
[#379](#379))
  Use field `authors` or field `manufacturer` instead.
* Data model "Metadata"'s field `manufacture` was deprecated.
([#346](#346) via
[#379](#379))
  Use "Metadata"'s field `component`'s field `manufacturer` instead. 
  - for XML: `/bom/metadata/component/manufacturer`
  - for JSON: `$.metadata.component.manufacturer`
  - for ProtoBuf: `Bom:metadata.component.manufacturer`

## Documentation

* Centralize version and version-range (via
[#322](#322))
* Streamlined SPDX expression related descriptions (via
[#327](#327))
* Enhanced descriptions of `bom-ref`/`refType`
([#336](#336) via
[#344](#344))
* Enhanced readability of enum documentation in JSON schema
([#361](#361) via
[#362](#362))
* Fixed typo "compliment" -> "complement" (via
[#369](#369))
* Added documentation for enum "ComponentScope"'s values in JSON schema
([#293](#293) via
[`d92e58e`](d92e58e))
  Texts were a taken from the existing ones in XML/ProtoBuff schema.
* Added documentation for enum "TaskType"'s values
([#245](#245) via
[#377](#377))
* Improve documentation for data model "Metadata"'s field `licenses`
([#273](#273) via
[#378](#378))
* Added documentation for enum "MachineLearningApproachType"'s values
([#351](#351) via
[#416](#416))
* Rephrased some texts here and there.

## Test data

* Added test data for newly added use cases
* Added quality assurance for our ProtoBuf schemas
([#384](#384) via
[#385](#385))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
promote to tc54 Promote to Ecma Technical Committee 54 proposed core enhancement ready for review tc54 accepted Ecma TC54 has accepted the feature candidate tc54 reviewed Ecma TC54 has reviewed the feature candidate
Projects
None yet
3 participants