cyclonedx-rust-cargo icon indicating copy to clipboard operation
cyclonedx-rust-cargo copied to clipboard
verified publisher icon CycloneDX

[cyclonedx-bom] top-level `bom.version` should be optional in `Bom` struct

Open weihanglo opened this issue 7 months ago • 0 comments

Since CycloneDX v1.5, the bom.version field is marked as optional in the JSON schema . The truth is in XML and protobuf specification it has been optional way earlier than 1.4, but JSON schema failed to catch up until v1.5 (seethe relevant PR https://github.com/CycloneDX/specification/pull/260 and https://github.com/CycloneDX/specification/issues/78).

Since bom.version always has a default value, it should be safe we just make it optional

  • https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/100c362132c4337d5daf8f45a737cc2f7b7d6e4b/cyclonedx-bom/src/models/bom.rs#L105
  • https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/100c362132c4337d5daf8f45a737cc2f7b7d6e4b/cyclonedx-bom/src/specs/common/bom.rs#L122

Alternatively, if we want to follow the v1.3 and v1.4 JSON schema strictly (which I believe it was a bug fixed in v1.5), we could diverge the deserialization based on spec versions.

weihanglo avatar May 14 '25 22:05 weihanglo