bug: additional properties on property type in JSON
#371
Comments
|
checked, can confirm for JSON:
in contrast to the JSON, the XML defines
in contrast to JSON, the Protobuff defines
|
|
@stevespringett if the XML & ProtoBuff are the intended solutions, |
|
Yes please. Thanks @jkowalleck |
jkowalleck
changed the title
property typeproperty type in JOSN
jkowalleck
changed the title
property type in JOSNproperty type in JSON
|
Thanks to both of you for the quick turnaround on this! |
|
Thanks for reporting @agschrei . Fix will be included in the upcoming v1.6 specification. |
Merged
stevespringett
added a commit
that referenced
this issue
Apr 9, 2024
## Added * Core enhancement: Attestation ([#192](#192) via [#348](#348)) * Core enhancement: Cryptography Bill of Materials — CBOM ([#171](#171), [#291](#291) via [#347](#347)) * Feature to express the URL to source distribution ([#98](#98) via [#269](#269)) * Feature to express the URL to RFC 9116 compliant documents ([#380](#380) via [#381](#381)) * Feature to express tags/keywords for services and components (via [#383](#383)) * Feature to express details for component authors ([#335](#335) via [#379](#379)) * Feature to express details for component and BOM manufacturer ([#346](#346) via [#379](#379)) * Feature to express communicate concluded values from observed evidences ([#411](#411) via [#412](#412)) * Features to express license acknowledgement ([#407](#407) via [#408](#408)) * Feature to express environmental consideration information for model cards ([#396](#396) via [#395](#395)) * Feature to express the address of organizational entities (via [#395](#395)) * Feature to express additional component identifiers: Universal Bill Of Receipts Identifier and Software Heritage persistent IDs ([#413](#413) via [#414](#414)) ## Fixed * Allow multiple evidence identities by XML/JSON schema ([#272](#272) via [#359](#359)) This was already correct via ProtoBuff schema. * Prevent empty `license` entities by XML schema ([#288](#288) via [#292](#292)) This was already correct in JSON/ProtoBuff schema. * Prevent empty or malformed `property` entities by JSON schema ([#371](#371) via [#375](#375)) This was already correct in XML/ProtoBuff schema. * Allow multiple `licenses` in `Metadata` by ProtoBuff schema ([#264](#264) via [#401](#401)) This was already correct in XML/JSON schema. ## Changed * Allow arbitrary `$schema` values by JSON schema ([#402](#402) via [#403](#403)) * Increased max length of `versionRange` (via [`3e01ce6`](3e01ce6)) * Harmonized length of `version` (via [#417](#417)) ## Deprecated * Data model "Component"'s field `author` was deprecated. (via [#379](#379)) Use field `authors` or field `manufacturer` instead. * Data model "Metadata"'s field `manufacture` was deprecated. ([#346](#346) via [#379](#379)) Use "Metadata"'s field `component`'s field `manufacturer` instead. - for XML: `/bom/metadata/component/manufacturer` - for JSON: `$.metadata.component.manufacturer` - for ProtoBuf: `Bom:metadata.component.manufacturer` ## Documentation * Centralize version and version-range (via [#322](#322)) * Streamlined SPDX expression related descriptions (via [#327](#327)) * Enhanced descriptions of `bom-ref`/`refType` ([#336](#336) via [#344](#344)) * Enhanced readability of enum documentation in JSON schema ([#361](#361) via [#362](#362)) * Fixed typo "compliment" -> "complement" (via [#369](#369)) * Added documentation for enum "ComponentScope"'s values in JSON schema ([#293](#293) via [`d92e58e`](d92e58e)) Texts were a taken from the existing ones in XML/ProtoBuff schema. * Added documentation for enum "TaskType"'s values ([#245](#245) via [#377](#377)) * Improve documentation for data model "Metadata"'s field `licenses` ([#273](#273) via [#378](#378)) * Added documentation for enum "MachineLearningApproachType"'s values ([#351](#351) via [#416](#416)) * Rephrased some texts here and there. ## Test data * Added test data for newly added use cases * Added quality assurance for our ProtoBuf schemas ([#384](#384) via [#385](#385))
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the definition for a
propertyexpects keysnameandvaluebut neither of them is required and the presence of other keys is not prohibited through a constraint like"additionalProperties": falseThis is an inconsistency compared to other types defined on the schema such as
componentordependencywhich disallow additional properties.Concretely, that means this sample SBOM validates against the schema, but my argument is that it should not:
{ "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "metadata": { "component": { "bom-ref": "foo", "type": "application", "name": "foo", "properties": [ { "name": "myCustomProperty", "value": "myCustomValue", "abc": ["def"] } ] } }, "components": [ { "bom-ref": "foo/bar", "type": "library", "name": "bar" } ] }https://www.jsonschemavalidator.net/s/dRHUBrfG
This seems like a small thing, but I just spent an hour trying to figure out why cyclonedx-core-java would validate an sbom just fine but then fail to parse it. So I think the spec would benefit from a stronger constraint on the
propertytype.I'm happy to contribute the spec changes for 1.6 if this gets approved.
The text was updated successfully, but these errors were encountered: