Protobuf: Evidence.identity is repeated, but should be optional
#272
Comments
|
Am I correct in assuming that even Evidence must be optional as shown in the below commit? I think in 1.6, we need to add some conformance tests where we serialize using proto and then attempt to deserialize and read as json and vice versa. |
|
Actually, the defect is in the JSON and XML schemas. In this case, the protobuf is correct. Identity should be an array. |
I think there's some tests that are performed in .NET. Perhaps @coderpatros can shed some light. |
This would be a large breaking change for cdxgen and depscan users since the identity object is used quite heavily |
How would this be a breaking change? The unit tests, which incorporate both single object and arrays, are passing validation. There will be no changes required in cdxgen or depscan, although the current method (single object) has been deprecated. So implementations will be encouraged to update to supporting arrays. But no functionality is breaking. |
Fixed issue with evidence identity that restricted identity to only a single object. The defect was found in JSON and XML schemas but was correct in protobuf. Updated JSON and XML schemas in a way where they are backward compatible. Updated test cases in v1.6 that support BOTH methods (single object and array of objects) of specifying identity evidence. Closes #272
|
Fix will be included in v1.6 |
## Added * Core enhancement: Attestation ([#192](#192) via [#348](#348)) * Core enhancement: Cryptography Bill of Materials — CBOM ([#171](#171), [#291](#291) via [#347](#347)) * Feature to express the URL to source distribution ([#98](#98) via [#269](#269)) * Feature to express the URL to RFC 9116 compliant documents ([#380](#380) via [#381](#381)) * Feature to express tags/keywords for services and components (via [#383](#383)) * Feature to express details for component authors ([#335](#335) via [#379](#379)) * Feature to express details for component and BOM manufacturer ([#346](#346) via [#379](#379)) * Feature to express communicate concluded values from observed evidences ([#411](#411) via [#412](#412)) * Features to express license acknowledgement ([#407](#407) via [#408](#408)) * Feature to express environmental consideration information for model cards ([#396](#396) via [#395](#395)) * Feature to express the address of organizational entities (via [#395](#395)) * Feature to express additional component identifiers: Universal Bill Of Receipts Identifier and Software Heritage persistent IDs ([#413](#413) via [#414](#414)) ## Fixed * Allow multiple evidence identities by XML/JSON schema ([#272](#272) via [#359](#359)) This was already correct via ProtoBuff schema. * Prevent empty `license` entities by XML schema ([#288](#288) via [#292](#292)) This was already correct in JSON/ProtoBuff schema. * Prevent empty or malformed `property` entities by JSON schema ([#371](#371) via [#375](#375)) This was already correct in XML/ProtoBuff schema. * Allow multiple `licenses` in `Metadata` by ProtoBuff schema ([#264](#264) via [#401](#401)) This was already correct in XML/JSON schema. ## Changed * Allow arbitrary `$schema` values by JSON schema ([#402](#402) via [#403](#403)) * Increased max length of `versionRange` (via [`3e01ce6`](3e01ce6)) * Harmonized length of `version` (via [#417](#417)) ## Deprecated * Data model "Component"'s field `author` was deprecated. (via [#379](#379)) Use field `authors` or field `manufacturer` instead. * Data model "Metadata"'s field `manufacture` was deprecated. ([#346](#346) via [#379](#379)) Use "Metadata"'s field `component`'s field `manufacturer` instead. - for XML: `/bom/metadata/component/manufacturer` - for JSON: `$.metadata.component.manufacturer` - for ProtoBuf: `Bom:metadata.component.manufacturer` ## Documentation * Centralize version and version-range (via [#322](#322)) * Streamlined SPDX expression related descriptions (via [#327](#327)) * Enhanced descriptions of `bom-ref`/`refType` ([#336](#336) via [#344](#344)) * Enhanced readability of enum documentation in JSON schema ([#361](#361) via [#362](#362)) * Fixed typo "compliment" -> "complement" (via [#369](#369)) * Added documentation for enum "ComponentScope"'s values in JSON schema ([#293](#293) via [`d92e58e`](d92e58e)) Texts were a taken from the existing ones in XML/ProtoBuff schema. * Added documentation for enum "TaskType"'s values ([#245](#245) via [#377](#377)) * Improve documentation for data model "Metadata"'s field `licenses` ([#273](#273) via [#378](#378)) * Added documentation for enum "MachineLearningApproachType"'s values ([#351](#351) via [#416](#416)) * Rephrased some texts here and there. ## Test data * Added test data for newly added use cases * Added quality assurance for our ProtoBuf schemas ([#384](#384) via [#385](#385))
The
identityfield ofEvidenceisrepeatedin the current v1.5 Protobuf schema, whereas it is a singular object in the JSON and XML variants of the schema.specification/schema/bom-1.5.proto
Lines 652 to 658 in cc15c85
specification/schema/bom-1.5.schema.json
Lines 1458 to 1469 in cc15c85
specification/schema/bom-1.5.xsd
Lines 2132 to 2134 in cc15c85
As the field is not required, it should be
optional.The text was updated successfully, but these errors were encountered: