Merge remote-tracking branch 'origin/1.7-dev' into 1.7-dev-cryptography

Author: jkowalleck

README.md

@@ -1,4 +1,8 @@
-[![Build Status](https://github.com/CycloneDX/specification/workflows/CI%20Build/badge.svg)](https://github.com/CycloneDX/specification/actions?workflow=CI+Build)
+[![Build Docs](https://github.com/CycloneDX/specification/actions/workflows/build_docs.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/build_docs.yml)
+[![CT Java](https://github.com/CycloneDX/specification/actions/workflows/test_java.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_java.yml)
+[![CT JavaScript](https://github.com/CycloneDX/specification/actions/workflows/test_js.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_js.yml)
+[![CT PHP](https://github.com/CycloneDX/specification/actions/workflows/test_php.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_php.yml)
+[![CT ProtoBuf](https://github.com/CycloneDX/specification/actions/workflows/test_proto.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_proto.yml)  
 [![License][license-image]][license-url]
 [![Website](https://img.shields.io/badge/https://-cyclonedx.org-blue.svg)](https://cyclonedx.org/)
 [![Slack Invite](https://img.shields.io/badge/Slack-Join-blue?logo=slack&labelColor=393939)](https://cyclonedx.org/slack/invite)

schema/bom-1.7.proto

@@ -0,0 +1,79 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42",
+  "version": 1,
+  "metadata": {
+    "lifecycles": [{"phase": "design"}]
+  },
+  "components": [
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-A",
+      "version": "1",
+      "description": "Multiple licenses: declared ids/names, and a concluded expression",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "id": "PostgreSQL",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "name": "Apache Software License",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "expression": "(MIT OR PostgreSQL OR Apache-2.0)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-B",
+      "version": "1",
+      "description": "Multiple license expressions: one declared, one concluded",
+      "licenses": [
+        {
+          "expression": "MIT OR (GPL-3.0 OR GPL-2.0)",
+          "acknowledgement": "declared"
+        },
+        {
+          "expression": "(GPL-3.0-only AND LGPL-2.0-only)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-C",
+      "version": "1",
+      "description": "Multiple license: one declared expression, one concluded id",
+      "licenses": [
+        {
+          "expression": "GPL-3.0-or-later OR GPL-2.0",
+          "acknowledgement": "declared"
+        },
+        {
+          "license": {
+            "id": "GPL-3.0-only",
+            "acknowledgement": "concluded"
+          }
+        }
+      ]
+    }
+  ]
+}

schema/bom-1.7.schema.json

@@ -0,0 +1,46 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6"
+     serialNumber="urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42"
+>
+    <!--
+    All license posture in here is for show-case ony.
+    This is not a real law-case!
+    -->
+    <metadata>
+        <lifecycles><lifecycle><phase>design</phase></lifecycle></lifecycles>
+    </metadata>
+    <components>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-A</name>
+            <version>1</version>
+            <description>Multiple licenses: declared ids/names, and a concluded expression</description>
+            <licenses>
+                <license acknowledgement="declared"><id>MIT</id></license>
+                <license acknowledgement="declared"><id>PostgreSQL</id></license>
+                <license acknowledgement="declared"><name>Apache Software License</name></license>
+                <expression acknowledgement="concluded">(MIT OR PostgreSQL OR Apache-2.0)</expression>
+            </licenses>
+        </component>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-B</name>
+            <version>1</version>
+            <description>Multiple license expressions: one declared, one concluded</description>
+            <licenses>
+                <expression acknowledgement="declared">MIT OR (GPL-3.0 OR GPL-2.0)</expression>
+                <expression acknowledgement="concluded">(GPL-3.0-only AND LGPL-2.0-only)</expression>
+            </licenses>
+        </component>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-C</name>
+            <version>1</version>
+            <description>Multiple license: one declared expression, one concluded id</description>
+            <licenses>
+                <expression acknowledgement="declared">GPL-3.0-or-later OR GPL-2.0</expression>
+                <license acknowledgement="concluded"><id>GPL-3.0-only</id></license>
+            </licenses>
+        </component>
+    </components>
+</bom>

schema/bom-1.7.xsd

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <!--
+    this would be formal, if the support for XSD1.1's `assert` was properly implemented
+    in validators and tools digesting XML.
+    -->
+    <components>
+        <component type="library" isExternal="false">
+            <name>InvalidVersions</name>
+            <versionRange><![CDATA[vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1]]></versionRange>
+            <description>versionRange may only exist on extraneous components, set `isExternal` explicit</description>
+        </component>
+    </components>
+</bom>

tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.json

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <!--
+    this would be formal, if the support for XSD1.1's `assert` was properly implemented
+    in validators and tools digesting XML.
+    -->
+    <components>
+        <component type="library">
+            <!-- @isExternal defaults to `false` -->
+            <name>InvalidVersions</name>
+            <versionRange><![CDATA[vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1]]></versionRange>
+            <description>versionRange may only exist on extraneous components, set `isExternal` implicit by default value</description>
+        </component>
+    </components>
+</bom>

tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.xml

@@ -0,0 +1,40 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2025-05-01T14:23:00Z"
+  },
+  "components": [
+    {
+      "type": "library",
+      "bom-ref": "component-1",
+      "name": "example-lib",
+      "version": "1.2.3",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        }
+      ]
+    }
+  ],
+  "citations": [
+    {
+      "bom-ref": "citation-1",
+      "pointers": [ "/components/0/name" ],
+      "timestamp": "2025-05-01T14:00:00Z",
+      "note": "Should have at least one of the following property sets: property 'attributedTo' or property 'process'"
+    },
+    {
+      "bom-ref": "citation-1",
+      "pointers": [ "/components/0/name" ],
+      "expressions": [ "$..[?(@.bom-ref=='component-1')].version" ],
+      "timestamp": "2025-05-01T14:00:00Z",
+      "note": "Should not have both a pointer and expression."
+    }
+  ]
+}

tools/src/test/resources/1.7/informal-invalid-component-versionRange-non-external-explicit.xml

@@ -0,0 +1,48 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+spec_version: "1.7"
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+version: 1
+
+metadata {
+  timestamp {
+    seconds: 1754424907
+    nanos: 0
+  }
+}
+
+components {
+  type: CLASSIFICATION_LIBRARY
+  bom_ref: "component-1"
+  name: "example-lib"
+  version: "1.2.3"
+  licenses {
+    license {
+      id: "Apache-2.0"
+    }
+  }
+}
+
+## !! NO formal check possible
+#citations {
+#  bom_ref: "citation-1"
+#  pointers: { pointer: "/components/0/name" }
+#  timestamp {
+#    seconds: 1746108000
+#    nanos: 0
+#  }
+#  note: "Should have at least one of the following property sets: property 'attributedTo' or property 'process'"
+#}
+
+
+citations {
+  bom_ref: "citation-1"
+  pointers: { pointer: "/components/0/name" }
+  expressions: { expression: "$..[?(bom_ref=='component-1')].version" }
+  timestamp {
+    seconds: 1746108000
+    nanos: 0
+  }
+  note: "Should not have both a pointer and expression."
+}