Release notes external reference type missing from protobuf schema

[coderpatros]

This applies to all versions of the protobuf spec

[andreas-hilti]

@jkowalleck In ExternalReferenceType, release-notes seems to be missing in protobuf, compared to JSON and xml:

specification/schema/bom-1.6.proto

Lines 214 to 300 in f18b992

	enum ExternalReferenceType {
	// Use this if no other types accurately describe the purpose of the external reference
	// buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `other` is our fallback, doubling `unspecified`
	EXTERNAL_REFERENCE_TYPE_OTHER = 0;
	// Version Control System
	EXTERNAL_REFERENCE_TYPE_VCS = 1;
	// Issue, defect tracking system, or an Application Lifecycle Management (ALM) system
	EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER = 2;
	// Website
	EXTERNAL_REFERENCE_TYPE_WEBSITE = 3;
	// Security advisories
	EXTERNAL_REFERENCE_TYPE_ADVISORIES = 4;
	// Bill-of-material document (CycloneDX, SPDX, SWID, etc)
	EXTERNAL_REFERENCE_TYPE_BOM = 5;
	// Mailing list or discussion group
	EXTERNAL_REFERENCE_TYPE_MAILING_LIST = 6;
	// Social media account
	EXTERNAL_REFERENCE_TYPE_SOCIAL = 7;
	// Real-time chat platform
	EXTERNAL_REFERENCE_TYPE_CHAT = 8;
	// Documentation, guides, or how-to instructions
	EXTERNAL_REFERENCE_TYPE_DOCUMENTATION = 9;
	// Community or commercial support
	EXTERNAL_REFERENCE_TYPE_SUPPORT = 10;
	// Direct or repository download location
	EXTERNAL_REFERENCE_TYPE_DISTRIBUTION = 11;
	// The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness
	EXTERNAL_REFERENCE_TYPE_LICENSE = 12;
	// Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)
	EXTERNAL_REFERENCE_TYPE_BUILD_META = 13;
	// URL to an automated build system
	EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM = 14;
	// Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.
	EXTERNAL_REFERENCE_TYPE_SECURITY_CONTACT = 15;
	// Human or machine-readable statements containing facts, evidence, or testimony
	EXTERNAL_REFERENCE_TYPE_ATTESTATION = 16;
	// An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format
	EXTERNAL_REFERENCE_TYPE_THREAT_MODEL = 17;
	// The defined assumptions, goals, and capabilities of an adversary.
	EXTERNAL_REFERENCE_TYPE_ADVERSARY_MODEL = 18;
	// Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.
	EXTERNAL_REFERENCE_TYPE_RISK_ASSESSMENT = 19;
	// The location where a component was published. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary
	EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE = 20;
	// A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product
	EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION = 21;
	// A Vulnerability Exploitability eXchange (VEX) asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally, the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization
	EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT = 22;
	// Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test
	EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT = 23;
	// SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code
	EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT = 24;
	// Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations
	EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT = 25;
	// Report generated by analyzing the call stack of a running application
	EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT = 26;
	// Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis
	EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT = 27;
	// Report containing a formal assessment of an organization, business unit, or team against a maturity model
	EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT = 28;
	// Industry, regulatory, or other certification from an accredited (if applicable) certification body
	EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT = 29;
	// Report or system in which quality metrics can be obtained
	EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS = 30;
	// Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)
	EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE = 31;
	// A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.
	EXTERNAL_REFERENCE_TYPE_MODEL_CARD = 32;
	// Plans of Action and Milestones (POAM) complement an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones".
	EXTERNAL_REFERENCE_TYPE_POAM = 33;
	// A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.
	EXTERNAL_REFERENCE_TYPE_LOG = 34;
	// Parameters or settings that may be used by other components or services.
	EXTERNAL_REFERENCE_TYPE_CONFIGURATION = 35;
	// Information used to substantiate a claim.
	EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36;
	// Describes how a component or service was manufactured or deployed.
	EXTERNAL_REFERENCE_TYPE_FORMULATION = 37;
	// The location where the source code distributable can be obtained. This is often an archive format such as zip or tar.gz. The source-distribution type complements the use of the version control (vcs) type.
	EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION = 38;
	// An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.
	EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 39;
	// A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.
	EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40;
	// Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure)
	EXTERNAL_REFERENCE_TYPE_RFC_9116 = 41;
	}

specification/schema/bom-1.6.schema.json

Line 1746 in f18b992

"release-notes",

specification/schema/bom-1.6.xsd

Lines 1396 to 1400 in f18b992

	<xs:enumeration value="release-notes">
	<xs:annotation>
	<xs:documentation>URL to release notes</xs:documentation>
	</xs:annotation>
	</xs:enumeration>

noticed in the context of CycloneDX/cyclonedx-dotnet-library#329

[jkowalleck]

Feel free to drop a PR with a fix.

[jkowalleck]

could I ask you for a review of the proposed fix? #531