specification icon indicating copy to clipboard operation
specification copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

[BUG] VulnerabilityReference contradicting definition in JSON and XML

Open jkowalleck opened this issue 2 years ago • 1 comments

In XML schema definition for CDX-1.4 vulnerabilityType.references.reference the id and source are defined optional (minOccurs="0") see https://github.com/CycloneDX/specification/blob/master/schema/bom-1.4.xsd#L1779

In JSON schema definition for CDX-1.4 the /definitions/vulnerability/properties/references/items the id and source are mandatory (they are in list of required) see https://github.com/CycloneDX/specification/blob/master/schema/bom-1.4.schema.json#L1454

these both definitions contradict each other.

please clarify which one is correct (a discussion/comment in here would be great for the start) and have the XSD & JSON-schema alligned.

jkowalleck avatar Aug 07 '22 06:08 jkowalleck

cc: @coderpatros @DarthHater

stevespringett avatar Aug 08 '22 14:08 stevespringett

For vulnerabilities themselves, the id and source are optional because they have to be (support for unknown vulns, etc)

For vulnerability references however, I cannot think of a scenario where the id and source would be optional. Therefore if this is the case, then I believe the proper fix would be to update the XSD and .proto to make those two fields required to match the JSON. However, this may be a breaking change to proto (which also lists these two fields as optional).

Need your input @coderpatros and @DarthHater

stevespringett avatar Jan 22 '23 21:01 stevespringett