Merge branch 'master' into 1.7-dev

jkowalleck · web-flow · commit 808e5e3bb4de · 2025-10-19T12:15:55.000+02:00
diff --git a/.github/workflows/build_docs.yml b/.github/workflows/build_docs.yml
@@ -9,6 +9,9 @@ on:
 env:
   PYTHON_VERSION_DEFAULT: "3.10"
 
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   docs_xml:
     runs-on: ubuntu-latest
@@ -18,10 +21,10 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Set up JDK
       # see https://github.com/actions/setup-java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         java-version: '21'
         distribution: 'zulu'
@@ -43,10 +46,10 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Setup Python Environment
       # see https://github.com/actions/setup-python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
         architecture: 'x64'
@@ -67,7 +70,7 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Generate Schema documentation
       run: ./gen.sh
     - name: Archive Schema documentation
diff --git a/.github/workflows/test_java.yml b/.github/workflows/test_java.yml
@@ -14,16 +14,19 @@ defaults:
   run:
     working-directory: tools
 
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Set up JDK
       # see https://github.com/actions/setup-java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         java-version: '8'
         distribution: 'zulu'
diff --git a/.github/workflows/test_js.yml b/.github/workflows/test_js.yml
@@ -16,17 +16,20 @@ defaults:
   run:
     working-directory: tools/src/test/js
 
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   test:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup Node.js
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '20.x'
       - name: Install Depenencies
diff --git a/.github/workflows/test_php.yml b/.github/workflows/test_php.yml
@@ -16,14 +16,17 @@ defaults:
   run:
     working-directory: tools/src/test/php
 
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   test:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup PHP
         # see https://github.com/shivammathur/setup-php
         uses: shivammathur/setup-php@v2
diff --git a/.github/workflows/test_proto.yml b/.github/workflows/test_proto.yml
@@ -16,13 +16,16 @@ defaults:
   run:
     working-directory: tools/src/test/proto
 
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   test:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Run test
         run: ./test.sh
diff --git a/README.md b/README.md
@@ -1,17 +1,20 @@
-[![Build Docs](https://github.com/CycloneDX/specification/actions/workflows/build_docs.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/build_docs.yml)
-[![CT Java](https://github.com/CycloneDX/specification/actions/workflows/test_java.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_java.yml)
-[![CT JavaScript](https://github.com/CycloneDX/specification/actions/workflows/test_js.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_js.yml)
-[![CT PHP](https://github.com/CycloneDX/specification/actions/workflows/test_php.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_php.yml)
-[![CT ProtoBuf](https://github.com/CycloneDX/specification/actions/workflows/test_proto.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_proto.yml)  
+
+# CycloneDX Bill of Materials Specification (ECMA-424)
+
 [![License][license-image]][license-url]
+[![ECMA TC54](https://img.shields.io/badge/ECMA-TC54-FC7C00?labelColor=404040)](https://tc54.org) 
 [![Website](https://img.shields.io/badge/https://-cyclonedx.org-blue.svg)](https://cyclonedx.org/)
 [![Slack Invite](https://img.shields.io/badge/Slack-Join-blue?logo=slack&labelColor=393939)](https://cyclonedx.org/slack/invite)
 [![Group Discussion](https://img.shields.io/badge/discussion-groups.io-blue.svg)](https://groups.io/g/CycloneDX)
-[![Twitter](https://img.shields.io/twitter/url/http/shields.io.svg?style=social&label=Follow)](https://twitter.com/CycloneDX_Spec)
-[![ECMA TC54](https://img.shields.io/badge/ECMA-TC54-FC7C00?labelColor=404040)](https://tc54.org)
+[![Twitter](https://img.shields.io/twitter/url/http/shields.io.svg?style=social&label=Follow)](https://twitter.com/CycloneDX_Spec)  
+[![Build Docs](https://github.com/CycloneDX/specification/actions/workflows/build_docs.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/build_docs.yml)
+[![CT Java](https://github.com/CycloneDX/specification/actions/workflows/test_java.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_java.yml)
+[![CT JavaScript](https://github.com/CycloneDX/specification/actions/workflows/test_js.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_js.yml)
+[![CT PHP](https://github.com/CycloneDX/specification/actions/workflows/test_php.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_php.yml)
+[![CT ProtoBuf](https://github.com/CycloneDX/specification/actions/workflows/test_proto.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_proto.yml)    
 
+----
 
-# CycloneDX Bill of Materials Specification (ECMA-424)
 OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for 
 cyber risk reduction. CycloneDX is an [Ecma International](https://ecma-international.org/) standard published as 
 [ECMA-424](https://ecma-international.org/publications-and-standards/standards/ecma-424/). 
diff --git a/schema/bom-1.4.proto b/schema/bom-1.4.proto
@@ -662,7 +662,7 @@ message VulnerabilityAffectedVersions {
   oneof choice {
     // A single version of a component or service.
     string version = 1;
-    // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst
+    // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec
     string range = 2;
   }
   // The vulnerability status for the version or range of versions.
diff --git a/schema/bom-1.4.schema.json b/schema/bom-1.4.schema.json
@@ -1640,7 +1640,7 @@
                       "$ref": "#/definitions/version"
                     },
                     "range": {
-                      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst",
+                      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec",
                       "$ref": "#/definitions/range"
                     },
                     "status": {
@@ -1683,7 +1683,7 @@
       "maxLength": 1024
     },
     "range": {
-      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst",
+      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec",
       "type": "string",
       "minLength": 1,
       "maxLength": 1024
diff --git a/schema/bom-1.4.xsd b/schema/bom-1.4.xsd
@@ -1993,7 +1993,7 @@ limitations under the License.
                                                                 </xs:element>
                                                                 <xs:element name="range" type="xs:normalizedString" minOccurs="1" maxOccurs="1">
                                                                     <xs:annotation>
-                                                                        <xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst</xs:documentation>
+                                                                        <xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec</xs:documentation>
                                                                     </xs:annotation>
                                                                 </xs:element>
                                                             </xs:choice>
diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto
@@ -960,7 +960,7 @@ message VulnerabilityAffectedVersions {
   oneof choice {
     // A single version of a component or service.
     string version = 1;
-    // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst
+    // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec
     string range = 2;
   }
   // The vulnerability status for the version or range of versions. Defaults to VULNERABILITY_AFFECTED_STATUS_AFFECTED if not specified.
diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json
@@ -2284,7 +2284,7 @@
                       "$ref": "#/definitions/version"
                     },
                     "range": {
-                      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst",
+                      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec",
                       "$ref": "#/definitions/range"
                     },
                     "status": {
@@ -2326,7 +2326,7 @@
       "maxLength": 1024
     },
     "range": {
-      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst",
+      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec",
       "type": "string",
       "minLength": 1,
       "maxLength": 1024
diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd
@@ -2433,12 +2433,12 @@ limitations under the License.
             </xs:enumeration>
             <xs:enumeration value="incomplete_first_party_proprietary_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
+                    <xs:documentation>The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_first_party_opensource_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
+                    <xs:documentation>The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_third_party_only">
@@ -3644,7 +3644,7 @@ limitations under the License.
                                                                 </xs:element>
                                                                 <xs:element name="range" type="xs:normalizedString" minOccurs="1" maxOccurs="1">
                                                                     <xs:annotation>
-                                                                        <xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst</xs:documentation>
+                                                                        <xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec</xs:documentation>
                                                                     </xs:annotation>
                                                                 </xs:element>
                                                             </xs:choice>
diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto
@@ -1093,7 +1093,7 @@ message VulnerabilityAffectedVersions {
   oneof choice {
     // A single version of a component or service.
     string version = 1;
-    // A version range specified in Package URL Version Range syntax (vers), which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst
+    // A version range specified in Package URL Version Range syntax (vers), which is defined at https://github.com/package-url/vers-spec
     string range = 2;
   }
   // The vulnerability status for the version or range of versions. Defaults to VULNERABILITY_AFFECTED_STATUS_AFFECTED if not specified.
diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
@@ -2928,7 +2928,7 @@
                     },
                     "range": {
                       "title": "Version Range",
-                      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst",
+                      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec",
                       "$ref": "#/definitions/versionRange"
                     },
                     "status": {
@@ -2983,7 +2983,7 @@
       ]
     },
     "versionRange": {
-      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst",
+      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec",
       "type": "string",
       "minLength": 1,
       "maxLength": 4096,
diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
@@ -76,7 +76,7 @@ limitations under the License.
     <xs:simpleType name="versionRangeType">
         <xs:annotation>
             <xs:documentation xml:lang="en"><![CDATA[
-                A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst
+                A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec
 
                 Example values:
                 - "vers:cargo/9.0.14"
@@ -2810,12 +2810,12 @@ limitations under the License.
             </xs:enumeration>
             <xs:enumeration value="incomplete_first_party_proprietary_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
+                    <xs:documentation>The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_first_party_opensource_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
+                    <xs:documentation>The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_third_party_only">
@@ -4475,7 +4475,7 @@ limitations under the License.
                                                                 </xs:element>
                                                                 <xs:element name="range" type="bom:versionRangeType" minOccurs="1" maxOccurs="1">
                                                                     <xs:annotation>
-                                                                        <xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst</xs:documentation>
+                                                                        <xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec</xs:documentation>
                                                                     </xs:annotation>
                                                                 </xs:element>
                                                             </xs:choice>
diff --git a/schema/spdx.schema.json b/schema/spdx.schema.json
diff --git a/schema/spdx.xsd b/schema/spdx.xsd
diff --git a/tools/pom.xml b/tools/pom.xml
diff --git a/tools/src/main/java/org/cyclonedx/tools/SpdxXsdGenerator.java b/tools/src/main/java/org/cyclonedx/tools/SpdxXsdGenerator.java
diff --git a/tools/updateSpdx.sh b/tools/updateSpdx.sh

Original file line number	Diff line number	Diff line change
`@@ -662,7 +662,7 @@ message VulnerabilityAffectedVersions {`
`662`	`662`	`oneof choice {`
`663`	`663`	`// A single version of a component or service.`
`664`	`664`	`string version = 1;`
`665`		`- // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst`
	`665`	`+ // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec`
`666`	`666`	`string range = 2;`
`667`	`667`	`}`
`668`	`668`	`// The vulnerability status for the version or range of versions.`
Original file line number	Diff line number	Diff line change
`@@ -960,7 +960,7 @@ message VulnerabilityAffectedVersions {`
`960`	`960`	`oneof choice {`
`961`	`961`	`// A single version of a component or service.`
`962`	`962`	`string version = 1;`
`963`		`- // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst`
	`963`	`+ // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec`
`964`	`964`	`string range = 2;`
`965`	`965`	`}`
`966`	`966`	`// The vulnerability status for the version or range of versions. Defaults to VULNERABILITY_AFFECTED_STATUS_AFFECTED if not specified.`