added additional test cases, and adjusted the XSD to detect them

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

schema/bom-1.7.xsd

@@ -8905,22 +8905,35 @@ limitations under the License.
                     </xs:documentation>
                 </xs:annotation>
             </xs:element>
-            <xs:element name="attributedTo" type="bom:refLinkType" minOccurs="0" maxOccurs="1">
-                <xs:annotation>
-                    <xs:documentation>
-                        The `bom-ref` of an object, such as a component, service, organisational entity, or person that supplied the cited information.
-                        At least one of "attributedTo" or "process" must be present.
-                    </xs:documentation>
-                </xs:annotation>
-            </xs:element>
-            <xs:element name="process" type="bom:refLinkType" minOccurs="0" maxOccurs="1">
+            <xs:choice>
                 <xs:annotation>
                     <xs:documentation>
-                        An optional `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.
-                        At least one of "attributedTo" or "process" must be present.
+                        At least one of the "attributedTo" or "process" elements must be present.
                     </xs:documentation>
                 </xs:annotation>
-            </xs:element>
+                <xs:element name="attributedTo" type="bom:refLinkType">
+                    <xs:annotation>
+                        <xs:documentation>The `bom-ref` of an object, such as a component, service, organisational entity, or person that supplied the cited information.</xs:documentation>
+                    </xs:annotation>
+                </xs:element>
+                <xs:element name="process" type="bom:refLinkType">
+                    <xs:annotation>
+                        <xs:documentation>The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.</xs:documentation>
+                    </xs:annotation>
+                </xs:element>
+                <xs:sequence>
+                    <xs:element name="attributedTo" type="bom:refLinkType">
+                        <xs:annotation>
+                            <xs:documentation>The `bom-ref` of an object, such as a component, service, organisational entity, or person that supplied the cited information.</xs:documentation>
+                        </xs:annotation>
+                    </xs:element>
+                    <xs:element name="process" type="bom:refLinkType">
+                        <xs:annotation>
+                            <xs:documentation>The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.</xs:documentation>
+                        </xs:annotation>
+                    </xs:element>
+                </xs:sequence>
+            </xs:choice>
             <xs:element name="note" type="xs:string" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>

tools/src/test/resources/1.7/invalid-citations-1.7.json

@@ -27,13 +27,7 @@
       "bom-ref": "citation-1",
       "pointers": [ "/components/0/name" ],
       "timestamp": "2025-05-01T14:00:00Z",
-      "note": "Manually entered by Alice Example"
-    },
-    {
-      "bom-ref": "citation-2",
-      "pointers": [ "/components/0/licenses/0/license/id" ],
-      "timestamp": "2025-05-01T14:05:00Z",
-      "note": "Auto-detected by license scanner tool"
+      "note": "Should have at least one of the following property sets: property 'attributedTo' or property 'process'"
     }
   ]
 }

tools/src/test/resources/1.7/invalid-citations-1.7.xml

@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+     version="1">
+    <metadata>
+        <timestamp>2025-05-01T14:23:00Z</timestamp>
+        <authors>
+            <author bom-ref="person-1">
+                <name>Alice Example</name>
+                <email>[email protected]</email>
+            </author>
+        </authors>
+    </metadata>
+    <components>
+        <component type="library" bom-ref="component-1">
+            <name>example-lib</name>
+            <version>1.2.3</version>
+            <licenses>
+                <license>
+                    <id>Apache-2.0</id>
+                </license>
+            </licenses>
+        </component>
+    </components>
+    <formulation>
+        <formula bom-ref="formula-1">
+            <components>
+                <component type="application" bom-ref="scan-tool-1">
+                    <name>My Scan Tool</name>
+                </component>
+            </components>
+            <workflows>
+                <workflow bom-ref="workflow-1">
+                    <uid>259bae74-5ec4-4de8-9386-c91b1f7719b8</uid>
+                    <name>My workflow</name>
+                    <tasks>
+                        <task bom-ref="task-license-scan">
+                            <uid>6d75f8d6-a008-41cf-8b65-c4129fc249f9</uid>
+                            <description>License scan of the source files using OpenSourceScanner v2.1</description>
+                            <taskTypes>
+                                <taskType>scan</taskType>
+                            </taskTypes>
+                        </task>
+                        <task bom-ref="task-license-scan-2">
+                            <uid>dfc0268a-89cb-4823-bb88-84115a06b64d</uid>
+                            <description>License scan of the source files using [REDACTED]</description>
+                            <taskTypes>
+                                <taskType>scan</taskType>
+                            </taskTypes>
+                        </task>
+                    </tasks>
+                    <taskTypes>
+                        <taskType>scan</taskType>
+                    </taskTypes>
+                </workflow>
+            </workflows>
+        </formula>
+    </formulation>
+    <citations>
+        <citation bom-ref="citation-1">
+            <pointers>
+                <pointer>/components/0/name</pointer>
+            </pointers>
+            <timestamp>2025-05-01T14:00:00Z</timestamp>
+            <note>Should have at least one of the following children 'attributedTo' or 'process'</note>
+        </citation>
+        <citation bom-ref="citation-2">
+            <pointers>
+                <pointer>/components/0/licenses/0/license/id</pointer>
+            </pointers>
+            <timestamp>2025-05-01T14:05:00Z</timestamp>
+            <attributedTo>person-1</attributedTo>
+            <attributedTo>scan-tool-1</attributedTo>
+            <note>Should have at max one 'attributedTo'</note>
+        </citation>
+        <citation bom-ref="citation-3">
+            <pointers>
+                <pointer>/components/0/licenses/0/license/id</pointer>
+            </pointers>
+            <timestamp>2025-05-01T14:05:00Z</timestamp>
+            <process>task-license-scan</process>
+            <process>task-license-scan-2</process>
+            <note>Should have at max one 'process'</note>
+        </citation>
+    </citations>
+</bom>

tools/src/test/resources/1.7/valid-citations-1.7.json

@@ -35,15 +35,22 @@
       "pointers": [ "/components/0/name" ],
       "timestamp": "2025-05-01T14:00:00Z",
       "attributedTo": "person-1",
-      "note": "Manually entered by Alice Example"
+      "note": "Manually entered by Alice Example - with `attributedTo`"
     },
     {
       "bom-ref": "citation-2",
+      "pointers": [ "/components/0/name" ],
+      "timestamp": "2025-05-01T14:00:00Z",
+      "process": "task-license-scan",
+      "note": "Semi-manually entered by Alice Example - with `process`"
+    },
+    {
+      "bom-ref": "citation-3",
       "pointers": [ "/components/0/licenses/0/license/id" ],
       "timestamp": "2025-05-01T14:05:00Z",
       "attributedTo": "scan-tool-1",
       "process": "task-license-scan",
-      "note": "Auto-detected by license scanner tool"
+      "note": "Auto-detected by license scanner tool - with both, 'attributedTo' and 'process'"
     }
   ],
   "formulation": [

tools/src/test/resources/1.7/valid-citations-1.7.textproto

@@ -41,7 +41,17 @@ citations [
     note: "Manually entered by Alice Example"
   },
   {
-    bom_ref: "citation-2"
+    bom_ref: "citation-1"
+    pointer: "/components/0/name"
+    timestamp: {
+      seconds: 1746108000
+      nanos: 0
+    }
+    process: "task-license-scan"
+    note: "Semi-manually entered by Alice Example - with `process`"
+  },
+  {
+    bom_ref: "citation-3"
     pointer: "/components/0/licenses/0/license/id"
     timestamp: {
       seconds: 1746108000

tools/src/test/resources/1.7/valid-citations-1.7.xml

@@ -56,16 +56,24 @@
             </pointers>
             <timestamp>2025-05-01T14:00:00Z</timestamp>
             <attributedTo>person-1</attributedTo>
-            <note>Manually entered by Alice Example</note>
+            <note>Manually entered by Alice Example - with `attributedTo`</note>
         </citation>
         <citation bom-ref="citation-2">
+            <pointers>
+                <pointer>/components/0/name</pointer>
+            </pointers>
+            <timestamp>2025-05-01T14:00:00Z</timestamp>
+            <attributedTo>person-1</attributedTo>
+            <note>Semi-manually entered by Alice Example - with `process`</note>
+        </citation>
+        <citation bom-ref="citation-3">
             <pointers>
                 <pointer>/components/0/licenses/0/license/id</pointer>
             </pointers>
             <timestamp>2025-05-01T14:05:00Z</timestamp>
             <attributedTo>scan-tool-1</attributedTo>
             <process>task-license-scan</process>
-            <note>Auto-detected by license scanner tool</note>
+            <note>Auto-detected by license scanner tool - with both, 'attributedTo' and 'process'</note>
         </citation>
     </citations>
 </bom>