Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question on Relationship/to cardinality #449

Closed
davaya opened this issue Jul 29, 2023 · 1 comment
Closed

Question on Relationship/to cardinality #449

davaya opened this issue Jul 29, 2023 · 1 comment
Labels
Profile:Security
Milestone
3.0

Comments

@davaya
Copy link
Contributor

davaya commented Jul 29, 2023

This may not be an issue, but just for completeness, on May 5 #293 changed the Relationship "to" property from required to optional, to address issue #129.

VulnAssessmentRelationship requires a "to" property and so restricts it back to required.

The class inheritance tree is:

Subclass tree:
                       Package: [AIPackage, Dataset]
                              : [PresenceType, SafetyRiskAssessmentType, CreationInfo, DictionaryEntry, ExternalIdentifier, IntegrityMethod, AnnotationType, ExternalIdentifierType, ExternalReferenceType, HashAlgorithm, LifecycleScopeType, ProfileIdentifierType, RelationshipCompleteness, RelationshipType, ConfidentialityLevelType, DatasetAvailabilityType, DatasetType, ExploitCatalogType, SsvcDecisionType, VexJustificationType, DependencyConditionalityType, SbomType, SoftwareDependencyLinkType, SoftwarePurpose, String, Integer]
                       Element: [Build, Agent, Annotation, Artifact, ElementCollection, Relationship, Tool, LicenseAddition, Vulnerability, AnyLicenseInfo, SimpleLicensingText]
                        Bundle: [Bom, SpdxDocument]
             ElementCollection: [Bundle]
                          none: [Element, ExternalMap, ExternalReference, PositiveIntegerRange]
               IntegrityMethod: [Hash]
                  Relationship: [LifecycleScopedRelationship, VulnAssessmentRelationship]
                         Agent: [Organization, Person, SoftwareAgent]
                    xsd:string: [DateTime, MediaType, SemVer]
                AnyLicenseInfo: [ConjunctiveLicenseSet, DisjunctiveLicenseSet, ExtendableLicense, WithAdditionOperator, LicenseExpression]
                       License: [CustomLicense, ListedLicense]
               LicenseAddition: [CustomLicenseAddition, ListedLicenseException]
             ExtendableLicense: [License, OrLaterOperator]
    VulnAssessmentRelationship: [CvssV2VulnAssessmentRelationship, CvssV3VulnAssessmentRelationship, EpssVulnAssessmentRelationship, ExploitCatalogVulnAssessmentRelationship, SsvcVulnAssessmentRelationship, VexVulnAssessmentRelationship]
 VexVulnAssessmentRelationship: [VexAffectedVulnAssessmentRelationship, VexFixedVulnAssessmentRelationship, VexNotAffectedVulnAssessmentRelationship, VexUnderInvestigationVulnAssessmentRelationship]
              SoftwareArtifact: [File, Package, Snippet]
                           Bom: [Sbom]
                      Artifact: [SoftwareArtifact]
   LifecycleScopedRelationship: [SoftwareDependencyRelationship]
                        String: [AnyUri]

indicating that the only other Relationship classes are LifecycleScopedRelationship and SoftwareDependencyRelationship.

If either of these two classes require a "to" field, they should also restrict it like Security does. If they don't, everything is fine.
@maxhbr maxhbr mentioned this issue Aug 2, 2023
Closed
@goneall goneall added this to the 3.0 milestone Aug 12, 2023
@goneall
Copy link
Member

goneall commented Apr 3, 2024

Since these may be used to express "known unknowns", the to will be optional. Closing this issue.

Thanks @davaya for verifying this.

@goneall goneall closed this as completed Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Profile:Security
Projects
None yet
Milestone
3.0
Development

No branches or pull requests
2 participants
@goneall @davaya