cyclonedx-rust-cargo icon indicating copy to clipboard operation
cyclonedx-rust-cargo copied to clipboard
verified publisher icon CycloneDX

Support spec version 1.5

Open justahero opened this issue 2 years ago • 1 comments

The Spec version 1.5 was released last year, therefore support version 1.5 should be added. Initial work has begun in #584, it covers the first 4 items of the list below, but adding everything in a single PR is easily too much to review.

I checked the specification and collected the list of changes from version 1.4 to version 1.5. My hope is that the work can be split into separate PRs to provide better progress updates.

  • [x] top level version field not required anymore, see #584
  • [x] add top level annotations, see #584
  • [x] add trustZone to Service, see #584
  • [x] add lifecycles field to Metadata, see #584
  • [x] expand Component type in Metadata with new enum values, see #654
  • [x] update tools in Metadata, changed to oneOf. see #656
  • [x] add bom-ref field (refType) to OrganizationalContact, e.g. in authors in Metadata, see #658 658
  • [x] add modelCard & data to Component, see #660
  • [x] externalReference type changed, see #663
    • [x] url is a oneOf now
    • [x] type got a lot more enum values
  • [x] licenseChoice changed, either multiple licenses or a single spdx license expression, see commit in b8679b2da7e69e4d52df0cc21ca258656ef2d1f0
  • [x] tool is marked as deprecated in Tools
  • [x] organizationalEntity also got a bom-ref, same as organizationalContact, see #674
  • [x] license updated, see #692
    • [x] add bom-ref field
    • [x] add licensing object with nested fields, e.g. licensor, licensee, purchaser, licenseTypes
  • [x] data field in Service changed to serviceData from dataClassification with a few more fields, see #673
  • [x] evidence in Component expands with more fields, e.g. identity, see #676
  • [x] Composition
    • [x] receives bom-ref, see #678
    • [x] has new field vulnerabilities, see #678
    • [x] assemblies has now a oneOf relation, either refLinkType or bomLinkElementType
    • [x] aggregateType has a few more enum values, see #681
  • [x] method (scoreMethod) in Rating has new enum values, see #682
  • [x] vulnerability has new fields, see #683
  • [ ] refType is split into refLinkType & bomLinkElementType
  • [x] top level formulation including whole new set of types! #689
  • [x] top level properties, see #675

justahero avatar Mar 12 '24 17:03 justahero

formulation was added in https://github.com/CycloneDX/cyclonedx-rust-cargo/pull/689

pvdrz avatar May 07 '24 15:05 pvdrz

Is refType the last missing item?

felipesere avatar May 10 '24 10:05 felipesere

I will check off the item. Basically refLinkType & bomLinkElementType are both String types, where the latter one matches a specific pattern (see bomLinkElementType definition vs refType).

justahero avatar May 10 '24 10:05 justahero

This is implemented in latest git, and we're going to ship a release with this soon. Closing.

If you find something that is missing, please let us know by opening an issue!

Shnatsel avatar May 13 '24 12:05 Shnatsel