wip

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Author: jkowalleck

schema/bom-1.7.proto

@@ -106,8 +106,17 @@ message Component {
   optional string group = 7;
   // The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
   string name = 8;
-  // The component version. The version should ideally comply with semantic versioning but is not enforced. Version was made optional in v1.4 of the spec. For backward compatibility, it is recommended to use an empty string to represent components without version information.
-  string version = 9;
+  oneof versionChoice {
+    // The component version. The version should ideally comply with semantic versioning but is not enforced.
+    // Version was made optional in v1.4 of the spec.
+    // For backward compatibility, it is recommended to use an empty string to represent components without version information.
+    string version = 9;
+    // For an extraneous component, this is the accepted version range.
+    // Value MUST follow Package URL Version Range syntax (vers)which is defined at <https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst>.
+    // MAY only occur if property `isExtraneous` is set to 'true'.
+    // MUST NOT be used for `Bom.metadata.component`.
+    string versionRange = 33;
+  }
   // Specifies a description for the component
   optional string description = 10;
   // Specifies the scope of the component. If a scope is not specified, SCOPE_REQUIRED scope should be assumed by the consumer of the BOM
@@ -154,6 +163,10 @@ message Component {
   repeated string omniborId = 31;
   // Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html
   repeated string swhid = 32;
+  // Whether this component is extraneous.
+  // An extraneous component is not part of an assembly, but is (expected to be) provided by the environment, regardless of the component's `scope`.
+  // MUST be of value `false` for `Bom.metadata.component`.
+  optional bool isExtraneous = 34; // implicit defaults to `false`
 }
 
 // Specifies the data flow.

schema/bom-1.7.schema.json

@@ -920,22 +920,22 @@
           "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery",
           "examples": ["tomcat-catalina"]
         },
-        "isExtraneous": {
-          "type": "boolean",
-          "title": "Component Is Extraneous",
-          "description": "Whether this component is extraneous.\nAn extraneous component is not part of an assembly, but is (expected to be) provided by the environment, regardless of the component's `.scope`.\nMUST be of value `false` for `$.metadata.component`.",
-          "default": false
+        "version": {
+          "$ref": "#/definitions/version",
+          "title": "Component Version",
+          "description": "The component version. The version should ideally comply with semantic versioning but is not enforced."
         },
         "versionRange": {
           "$ref": "#/definitions/versionRange",
           "title": "Component Version Range",
-          "description": "A version range to fulfill this capability, specified in Package URL Version Range syntax (vers) which is defined at <https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst>.\nMAY only occur if property `.isExtraneous` is set to 'true'.\nMUST NOT be used for `$.metadata.component`.",
+          "description": "For an extraneous component, this is the accepted version range.\nValue MUST follow Package URL Version Range syntax (vers)which is defined at <https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst>.\nMAY only occur if property `.isExtraneous` is set to 'true'.\nMUST NOT be used for `$.metadata.component`.",
           "$comment": "a rule is taking care of the coherence between `version`/`versionRange` and `isExtraneous`=='true'"
         },
-        "version": {
-          "$ref": "#/definitions/version",
-          "title": "Component Version",
-          "description": "The component version. The version should ideally comply with semantic versioning but is not enforced."
+        "isExtraneous": {
+          "type": "boolean",
+          "title": "Component Is Extraneous",
+          "description": "Whether this component is extraneous.\nAn extraneous component is not part of an assembly, but is (expected to be) provided by the environment, regardless of the component's `.scope`.\nMUST be of value `false` for `$.metadata.component`.",
+          "default": false
         },
         "description": {
           "type": "string",

schema/bom-1.7.xsd

@@ -564,10 +564,10 @@ limitations under the License.
                 <xs:element name="versionRange" type="bom:versionRangeType">
                     <xs:annotation>
                         <xs:documentation><![CDATA[
-                            A version range to fulfill this capability, specified in Package URL Version Range syntax (vers) which is defined at
-                            <https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst>.
+                            For an extraneous component, this is the accepted version range.
+                            Value MUST follow Package URL Version Range syntax (vers)which is defined at <https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst>.
                             The component version range that may be provided to fulfill this capability.
-                            MAY only occur if attribute `.@isExtraneous` is set to `true`.
+                            MAY only occur if attribute `@isExtraneous` is set to `true`.
                             MUST NOT be used for `/metadata/component`.
                         ]]></xs:documentation>
                         </xs:annotation>

tools/src/test/resources/1.7/valid-component-extraneous-with-version.textproto

@@ -0,0 +1,13 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+spec_version: "1.7"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+components {
+  type: CLASSIFICATION_LIBRARY
+  name: "Foo"
+  description: "extraneous with version constraint",
+  isExtraneous: true
+  version: "9.1.24"
+}

tools/src/test/resources/1.7/valid-component-extraneous-with-versionRange.textproto

@@ -0,0 +1,13 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+spec_version: "1.7"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+components {
+  type: CLASSIFICATION_LIBRARY
+  name: "Foo"
+  description: "extraneous with version range constraints"
+  isExtraneous: true
+  versionRange: ">=9.0.0|<10.0.0"
+}

tools/src/test/resources/1.7/valid-component-extraneous-without-version.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "Foo",
+      "description": "extraneous without version constraint",
+      "isExtraneous": true
+    }
+  ]
+}

tools/src/test/resources/1.7/valid-component-extraneous-without-version.textproto

@@ -0,0 +1,12 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+spec_version: "1.7"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+components {
+  type: CLASSIFICATION_LIBRARY
+  name: "Foo"
+  description: "extraneous without version constraint",
+  isExtraneous: true
+}

tools/src/test/resources/1.7/valid-component-extraneous-without-version.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <components>
+        <component type="library" isExtraneous="true">
+            <name>Foo</name>
+            <description>extraneous without version constraint</description>
+        </component>
+    </components>
+</bom>