Skip to content

[1.7] Added citation support and test cases. #630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Parent: feat: Add support for TLP marking in metadata
merged 18 commits into from
Aug 15, 2025
Merged

[1.7] Added citation support and test cases. #630

merged 18 commits into from
Aug 15, 2025

Conversation

@stevespringett
Copy link
Member

@stevespringett stevespringett commented May 1, 2025
edited by jkowalleck
Loading

Changed

  • Formulations may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself.
    Before, it was restricted to components and services.

Added

  • Citations - describe how certain information in the BOM came together, or were sourced from, or are asserted.

TODO/DONE

  • JSON schema modified
  • XML schema modified
  • ProtoBuf schema modified
  • JSON examples/test data crafted
  • XML examples/test data crafted
  • ProtoBuf examples/test data crafted

@stevespringett stevespringett requested a review from a team as a code owner May 1, 2025 20:23
@stevespringett stevespringett linked an issue May 1, 2025 that may be closed by this pull request
[FEATURE]: Add citation support #629
Closed
@stevespringett
Corrected tests
84f8e2e 
Signed-off-by: Steve Springett <[email protected]>
@stevespringett
corrected pointer repeating
ec18e41 
Signed-off-by: Steve Springett <[email protected]>
@stevespringett
Added external ref for citation
ddc4842 
Signed-off-by: Steve Springett <[email protected]>
@stevespringett stevespringett added request for comment RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration labels May 1, 2025
@stevespringett stevespringett added this to the 1.7 milestone May 1, 2025
@jkowalleck jkowalleck self-requested a review May 15, 2025 12:36
@jkowalleck
docs: annotations
7dba14f 
Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
jkowalleck requested changes May 20, 2025
View reviewed changes
@jkowalleck jkowalleck requested a review from a team May 20, 2025 09:33
@jkowalleck
Copy link
Member

RFC notice sent on May 1, 2025

Public RFC period ended May 29, 2025

@jkowalleck
Copy link
Member

@stevespringett i see lacks in the implementation. I'd reject the current version for its unclear implementation.

@stevespringett
Added explicit documentation in XSD and Proto that either attributedT…
a3d7d01 
…o or process (or both) are required. Added invalid JSON test case.

Signed-off-by: Steve Springett <[email protected]>
@stevespringett stevespringett added RFC vote accepted promote to tc54 Promote to Ecma Technical Committee 54 labels Jul 2, 2025
@jkowalleck
Copy link
Member

jkowalleck commented Jul 3, 2025
edited
Loading

my remark was clarified. since there is no question left in the spec, this is ready for TC54 vote.

i will fix the current merge conflicts, and i will add additional valid/invalid examples according to spec, and might adjust the schemas to detect the invalid cases if possible.

PS:
got it implemented in XSD via abcc29d
but the Java/Saxon foo is breaking for poor implementation - https://github.com/CycloneDX/specification/actions/runs/16050317279/job/45291176560?pr=630
will revert the XSD improvements. 😭

@jkowalleck jkowalleck self-requested a review July 3, 2025 11:32
@jkowalleck
Copy link
Member

jkowalleck commented Jul 3, 2025
edited
Loading

after reading this spec again, i really do not like it. 👎

the idea of pointer is a horror for most implementations that use (unsorted) sets for data storage. the order of most elements never really mattered, but now it does.
this spec is much to much dependent of schema implementations (XML/JSON/PB) and programming-language implementations.

PS:

I understand the idea - have something to annotate everything, without the need of adding bom-ref at all objects.
Unfortunately, the proposed spec with pointers is not an ideal solution for the following points.

  • it makes transformation (e.g. from JSON to XML) non-trivial/complex/hard - since data structures are not the same in all schemas
  • it is not downstream-implementation friendly - since it requires tracking order of elements.

Were alternatives considered during the development of this solution?

jkowalleck added 4 commits July 3, 2025 14:24
@jkowalleck
added additional test cases, and adjusted the XSD to detect them
abcc29d 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
revert XSD improvements
4a24b07 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
docs
c486d31 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
docs
0f225ad 
Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
jkowalleck reviewed Jul 3, 2025
View reviewed changes
@stevespringett
Added expressions - JSONPath and XPath as an alternative to JSON Poin…
f315e00 
…ter. Updated formulation description. Updated test cases.

Signed-off-by: Steve Springett <[email protected]>
@stevespringett
Copy link
Member Author

The updated PR adds support for "expressions" supporting both JSONPath and XPath. The choice of using a pointer or an expression has been implemented in JSON and XML and explained in the protobuf.

The definition of formulation has been extended to capture its true purpose.

@jkowalleck jkowalleck requested a review from a team August 5, 2025 14:36
@jkowalleck jkowalleck mentioned this pull request Aug 6, 2025
Merged
jkowalleck and others added 6 commits August 6, 2025 09:38
@jkowalleck
Merge branch '1.7-dev' into 1.7-dev-citations
bcdcaca
@jkowalleck
streamlined some docs
22f8b63 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
wip
efbbbf4 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
wip
2bf3edc 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests
fd1a034 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
[1.7] citation: proposed changes 2 (#667)
e9689a5 
on top of #630

changes:
- ADDED: citation's "attributedTo" may also link to tools -- yes, we
have "processes", which are basically tools, but this way it might get
more convenient to use citations for BOM generators.
- DOCS: streamlined documentation
- REFACTOR: reworked the ProtoBuf structures to match some constraints
in the the spec -- `choice`/`oneOf` ...
- TESTS: practical examples for `citation.expressions`
@jkowalleck jkowalleck requested a review from a team August 11, 2025 08:40
@jkowalleck jkowalleck changed the title Added citation support and test cases. [1.7] Added citation support and test cases. Aug 11, 2025
@stevespringett stevespringett merged commit 680b4fc into 1.7-dev Aug 15, 2025
9 checks passed
@stevespringett stevespringett deleted the 1.7-dev-citations branch August 15, 2025 01:27
@jkowalleck jkowalleck mentioned this pull request Aug 15, 2025
Merged
stevespringett added a commit that referenced this pull request Oct 21, 2025
@stevespringett
v1.7 (#511)
11c0e00 
## Fixed

* XML schema: add type for `ComponentData` sub-elements ([#600] via
[#601])
* JSON schema: added the correct `deprecated` mark for already
deprecated structures (via [a973a6b])

## Deprecated

* Deprecated various fields and structures related to _cryptographic
transparency_ - _CBOM_ . (via [#657])
Use the newly added structures and fields for detailing the information
instead.

## Changed

* Extended the scope of _formulations_. (via [#647])
From now on, _formulations_ may be used to describe how any referencable
object within the BOM came together, including components, services,
metadata, declarations, or the BOM itself.
  Before, it was restricted to components and services.

## Added

* Support for _external components_ with _version-ranges_ ([#321] via
[#586])
* Support for _multiple_ SPDX License Expressions alongside with other
licenses ([#454] via [#582])
* Support for _Streebog hashing algorithm_ ([#485] via [#525])
* Support for license expression _details and properties_ ([#549],
[#554] via [#599])
* Support for expressing BOM distribution constraints with the _Traffic
Light Protocol_ (TLP) in metadata ([#595] via [#604], [#653])
* Support for representing _patent information_ ([#596] via [#597])
* Support for _properties_ on external-references ([#608] via [#610])
* Support for _citations_ ([#630] via [#629])
* Support for detailing _cryptographic transparency_ information -
_CBOM_ ([#569] via [#657])

## Documentation

* Elaborated component classification "platform", explicitly expressed
that it includes just-in-time compilers and interpreters ([#233] via
[#647])
* Removed the term "optional" from the schema where the definition was
already unambiguous ([#616], [#649] via [#680])

## Test data

* Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf


[#233]: #233
[#321]: #321
[#454]: #454
[#485]: #485
[#525]: #525
[#549]: #549
[#554]: #554
[#569]: #569
[#582]: #582
[#586]: #586
[#595]: #595
[#596]: #596
[#597]: #597
[#599]: #599
[#600]: #600
[#601]: #601
[#604]: #604
[#608]: #608
[#610]: #610
[#616]: #616
[#629]: #629
[#630]: #630
[#647]: #647
[#649]: #649
[#653]: #653
[#657]: #657
[#680]: #680
[a973a6b]:
a973a6b

----

- fixes #233
- fixes #321
- fixes #454
- fixes #485
- fixes #549
- fixes #554
- fixes #595
- fixes #596
- fixes #600
- fixes #608
- fixes #629
- fixes #616 
- fixes #649
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkowalleck jkowalleck jkowalleck approved these changes

Assignees

No one assigned

Labels

CDX 1.7 related to release v1.7 promote to tc54 Promote to Ecma Technical Committee 54 proposed core enhancement request for comment RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration RFC vote accepted

Projects

None yet

Milestone

1.7

Development

Successfully merging this pull request may close these issues.

[FEATURE]: Add citation support

2 participants

@stevespringett @jkowalleck