Skip to content

[WIP] v1.7 #511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 125 commits into
base: master
Choose a base branch
from
Draft

[WIP] v1.7 #511

wants to merge 125 commits into from

Conversation

jkowalleck
Copy link
Member

@jkowalleck jkowalleck commented Aug 31, 2024
edited
Loading

Note

WORK IN PROGRESS
see progress: https://github.com/CycloneDX/specification/milestone/8

Fixed

  • XML schema: add type for ComponentData sub-elements (#600 via #601)
  • ... TBC ...

Deprecated

  • ... TBD ...

Changed

  • ... TBD ...

Added

  • Support for external components with version-ranges (#321 via #586)

  • Support for Streebog hashing algorithm (#485 via #525)

  • Support for license expression details and properties (#549, #554 via #599)

  • Support for expressing BOM distribution constraints with the Traffic Light Protocol (TLP) in metadata (#595 via #604)

  • Support for representing patent information (#596 via #597)

  • Support for properties on external-references (#608 via #610)

  • ... TBC ...

Documentation

  • Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters (#233 via #647)
  • ... TBD ...

Test data

  • Add test data for CycloneDX 1.7 XML, JSON, Protobuf
  • ... TBC ...

@jkowalleck jkowalleck added this to the 1.7 milestone Aug 31, 2024
jkowalleck and others added 28 commits September 2, 2024 23:55
@jkowalleck
Merge branch 'master' into 1.7-dev
cf2ad78
@jkowalleck
Merge branch 'master' into 1.7-dev
6166a17
@jkowalleck
carry over of latest master
7cc2dee 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
Merge branch 'master' into 1.7-dev
ae1b41c
@jkowalleck
carry over of latest master
efc7163 
Signed-off-by: Jan Kowalleck <[email protected]>
@volkdm
Added support for STREEBOG-256 and STREEBOG-512 hashing algorithms (#485
0cc2e3a 
)

Signed-off-by: Dmitry Volk <[email protected]>
@volkdm
Add "HASH_ALG_" prefix to algorithm name
1d0a1d5 
Signed-off-by: Dmitry Volk <[email protected]>
@volkdm
Fix hashing algorithm name, because Streebog is not an abbreviation, …
fec8c4c 
…but a name.

Signed-off-by: Dmitry Volk <[email protected]>
@jkowalleck
Merge branch 'master' into 1.7-dev
d0bd373
@jkowalleck
carry over from master: XML,JSON,PB
08a441d 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
Merge branch 'master' into 1.7-dev
fb32c17
@jkowalleck
Merge branch 'master' into 1.7-dev
b113ce6
@jkowalleck
Merge branch 'master' into 1.7-dev
60fe7c5
@jkowalleck
incorporate latest changes from master
bcea8a9 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
Merge remote-tracking branch 'origin/master' into 1.7-dev
77c2d0e
@jkowalleck
Merge remote-tracking branch 'origin/master' into 1.7-dev
5ac9746
@jkowalleck
docs: docsgen prep for 1.7
2eeeb2a 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
Merge branch 'master' into 1.7-dev
3e624b1
@jkowalleck
Merge branch 'master' into 1.7-dev
2bcbb1c
@jkowalleck
Merge branch 'master' into 1.7-dev
a998cfc
@jkowalleck
tests: enable tests for 1.7
63541da 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: copy tests from 1.6
423729e 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: rename tests for 1.7
4010887 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: migrate tests for 1.7
6262459 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: testcases initial 1.7 (#583)
544db94 
1. enabled test runner for schema 1.7
1. copied all test cases from 1.6 to 1.7 
1. renamed the files from `*.1.6.*` to `*.1.7.*`
1. migrated the test cases from schema 1.6 to schema 1.7

see the diff/delta of each individual commit for details

java tests are expected to fail, as long as
#256 is not done
@jkowalleck
docs: docsgen latest first
1572344 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
docs: docsgen latest first (#584)
504a69f 
We often only need the latest docs, while developing a new version.
Therefore, the latest version's docs are generated first.
@jkowalleck
Merge branch 'master' into 1.7-dev
4315e39
jkowalleck and others added 11 commits February 27, 2025 17:35
@jkowalleck
tests
5b12e67 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: revisit examples
7f73c1d 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
dev-docs
ebe66bc 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
fixed schema and docs
98d888d 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: fix examples
dbd3c43 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
style fixes
636eb43 
Signed-off-by: Jan Kowalleck <[email protected]>
@anthonyharrison
feat: Add support for TLP marking in metadata - correct TLP descripti…
3da8e47 
…on (fixes #595)

Signed-off-by: anthonyharrison <[email protected]>
@anthonyharrison
Merge remote-tracking branch 'refs/remotes/origin/1.7-dev' into 1.7-dev
4e918f8 
# Conflicts:
#	schema/bom-1.7.proto
#	schema/bom-1.7.schema.json
#	schema/bom-1.7.xsd
@anthonyharrison
feat: Add support for TLP marking in metadata - correct TLP descripti…
ed5fa84 
…on (fixes #595)

Signed-off-by: anthonyharrison <[email protected]>
@Urist-McGit
feat: add custom properties to external references
ed9918d 
With this property external references can be annotated with additional
metadata in a machine-readable format.

Signed-off-by: Christoph Steiger <[email protected]>
@jkowalleck
Add support for Streebog hashing algorithm (#525)
93c29e5 
fixes #485
jkowalleck and others added 17 commits April 3, 2025 18:23
@jkowalleck
feat: support for external components with version-ranges (#586)
2f1fb1e 
As discussed in ticket #321, this PR adds the following abilities:

- mark components as **external**
  > Determine whether this component is external.
> An external component is one that is not part of an assembly, but is
expected to be provided by the environment, regardless of the
component's `@scope`. This setting can be useful for distinguishing
which components are bundled with the product and which can be relied
upon to be present in the deployment environment.
> This may be set to `true` for runtime components only. For
`/metadata/component`, it must be set to `false`.
- external components may have **version-ranges** instead of a specific
version
> For an external component, this specifies the accepted version range.
> The value must adhere to the Package URL Version Range syntax (vers),
as defined at
<https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst>.
  > May only be used if `.isExternal` is set to `true`.
> Must be used exclusively, either 'version' or 'versionRange', but not
both.


fixes #321 

----


> [!NOTE]
> this one supersedes #326 <-- read there for more background and
previous discussions

implementing with `components`, because the objects referenced/required
are actually used at runtime and therefore are considered a "component".

Sketch/proposal for  #321

- [x] sketch JSON schema  
  - properties and assert
  - test cases 
- [x] sketch XML schema
  - elements & attributes.
no asserts - this would require XSD1.1 which is not broadly implemented,
yet.
  - test cases
- [x] sketch ProtoBuff schema  
  - fields
  - test cases

----


> [!NOTE]
> ALL FEEDBACK IS WELCOME! Yes, everything.
> but some might not be resolved in this very PR, but in the
authoritative guides. See
#586 (comment)
@jkowalleck
Merge branch '1.7-dev' into 1.7-dev-patents
1cc3320
@stevespringett
Corrected minor issue with JSON schema. Ported to XSD and added XML t…
1e9cdce 
…est case

Signed-off-by: Steve Springett <[email protected]>
@stevespringett
Fixed linting errors
8c5d03a 
Signed-off-by: Steve Springett <[email protected]>
@jkowalleck
Merge branch '1.7-dev' into 1.7-dev-patents
2fe1e2e
@jkowalleck
Merge branch 'master' into 1.7-dev
cb2a539
@stevespringett
Made patents optional
9776c2a 
Signed-off-by: Steve Springett <[email protected]>
@stevespringett
Ported to protobuf and added test case
7f2978e 
Signed-off-by: Steve Springett <[email protected]>
@stevespringett
Updated comments
0bd4de7 
Signed-off-by: Steve Springett <[email protected]>
@jkowalleck
docs: add ProtoBuf enum docs - taken from JSON
16f7632 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
feat: Add support for TLP marking in metadata (#604)
a9122e8 
As discussed in ticket #595, this PR adds TLP marking in the BOM
metadata.

This PR superseeds #603

fixes #595
@jkowalleck
feat: add custom properties to external references (#610)
ee39f18 
With this property external references can be annotated with additional
metadata in a machine-readable format.

As discussed in #608 this adds support for custom properties in external
references.


fixes #608
@jkowalleck
feat: license expression details and properties - text attachment, li…
6425bd8 
…censing, etc (#599)

As discussed via #549, this PR adds new structures to allow documenting
the licensing and "properties" of SPDX expressions
As discussed via #554, this PR adds new structures to allow documenting
the license texts for SPDX expressions' individual parts.


----

TODO
- [x] agree on data models & finalize examples
- [x] write the schemata 
- [x] write the spec
- [x] write a proper summary for this PR

----

- fixes #554
- fixes #549
@jkowalleck
Add support for representing patent information (#597)
4cf9489 
Implements patent support. Closes #596
@jkowalleck
feat: JIT compilers and interpreters are platforms
9958c12 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
wording
7ab0895 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
JIT compilers & interpreters are "platforms" (#647)
d88ff39 
as discussed in #233 we need to tell which component type to use for
just-in-time compilers and interpreters.

This PR adds the information to the spec.

- fixes #233
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
defect documentation proposed core enhancement test-data related to test-resources and -data
Projects
None yet
Milestone
1.7
6 participants
@jkowalleck @stevespringett @volkdm @andreas-hilti @anthonyharrison @Urist-McGit