[WIP] v1.6

[jkowalleck]

Added

• Core enhancement: Attestation (#192 via #348)
• Core enhancement: Cryptography Bill of Materials — CBOM (#171, #291 via #347)
• Enum "ExternalReferenceType" got a value source-distribution (#98 via #269)
• Enum "ExternalReferenceType" got a value rfc-9116 (#380 via #381)
• Data model "Service" got a field tags (via #383)
• Data model "Component" got a field tags (via #383)
• Data model "Component" got a field authors (#335 via #379)
• Data model "Component" got a field manufacturer (#346 via #379)
• Data model "Metadata" got a field manufacturer (#57 via #379)

Fixed

• Allow multiple evidence identities by XML/JSON schema (#272 via #359)
  This was already correct via ProtoBuff schema.
• Prevent empty license entities by XML schema (#288 via #292)
  This was already correct in JSON/ProtoBuff schema.
• Prevent empty or malformed property entities by JSON schema (#371 via #375)
  This was already correct in XML/ProtoBuff schema.

Deprecated

• Data model "Component"'s field author was deprecated. (via #379) Use field authors or field manufacturer instead.
• Data model "Metadata"'s field manufactur was deprecated. (#346 via #379) Use "Metadata"'s field component's field manufacturer instead.
  • for XML: /bom/metadata/component/manufacturer
  • for JSON: $.metadata.component.manufacturer
  • for ProtoBuf: metadata.component.manufacturer

Documentation

• Centralize version and version-range (via #322)
• Streamlined SPDX expression related descriptions (via #327)
• Enhanced descriptions of bom-ref/refType (#336 via #344)
• Enhanced readability of enum documentation in JSON schema (#361 via #362)
• Fixed typo "compliment" -> "complement" (via #369)
• Added documentation for enum "ComponentScope"'s values in JSON schema (#293 via d92e58e)
  Texts were a taken from the existing ones in XML/ProtoBuff schema.
• Added documentation for enum "TaskType"'s values (#245 via #377)
• Improve documentation for data model "Metadata"'s field licenses (#273 via #378)
• Rephrased some texts here and there.

Test data

• Added test data for newly added use cases
• Added quality assurance measures for our protocol buffer schemas (#384 via #385)

[stevespringett]

@prabhu

if we know which libraries offer crypto-related functionalities...

This is something we have planned for v1.7 which is tied into the blueprints. Being able to communicate what the purpose of a component is and what capabilities it provides is something we'll be working on. Then using that information, we then plan to construct blueprints of how an application works (at a high level).

[prabhu]

Shall we merge this PR and make an alpha release?

[stevespringett]

@prabhu the contents of the 1.6-dev branch are stable and have been approved by the CWG and TC54. That is the alpha snapshot. We are expecting to be fully complete with remaining items on the March 28 TC54 call. At this point, an OWASP release of 1.6 will shortly follow.

[prabhu]

@stevespringett, could you kindly allow some more time for alpha testing?

[stevespringett]

@prabhu The two major features (CBOM, and CDXA) have been stable for several months, with many tool creators starting to use them. ServiceNow is already starting to use CDXA internally. I cannot modify the Ecma timeline, but I may be able to push the OWASP release back a week. I would suggest to review as much as possible, focusing on the few changes outside of CBOM and CDXA.

[prabhu]

@stevespringett @jkowalleck do we need to update spdx.schema.json with the new license ids since the last release?

[stevespringett]

@prabhu yes I do. We eventually need to automate that, but we can do that anytime. Its not pinned to a CycloneDX release.

[madpah]

@jkowalleck - .cryptoProperties.assetType is optional currently in XSD - see here: <xs:element name="assetType" minOccurs="0" maxOccurs="1">

Which leaves the entirety of .cryptoProperties optional, which seems incorrect to me.

[madpah]

@jkowalleck - .cryptoProperties.protocolProperties.version has no type in the XSD here, but is defined as a String under the JSON schema:

<xs:element name="version" minOccurs="0" maxOccurs="1">

[madpah]

@jkowalleck .cryptoProperties.protocolProperties.ikev2TransformTypes.esn is defined a boolean occurring 0 or more times in XSD, but as an optional (singular) boolean in JSON schema.

See XSD here <xs:element name="esn" type="xs:boolean" minOccurs="0" maxOccurs="unbounded">

[stevespringett]

@jkowalleck - .cryptoProperties.assetType is optional currently in XSD - see here: <xs:element name="assetType" minOccurs="0" maxOccurs="1">

Which leaves the entirety of .cryptoProperties optional, which seems incorrect to me.

@madpah thanks. This has been corrected in https://github.com/CycloneDX/specification/commit/2bb8bae596044654ce703c1d4c630f8daac5c2e8

[stevespringett]

@jkowalleck - .cryptoProperties.protocolProperties.version has no type in the XSD here, but is defined as a String under the JSON schema:

<xs:element name="version" minOccurs="0" maxOccurs="1">

@madpah Not really an issue, but I did make this explicit in https://github.com/CycloneDX/specification/commit/f5d959b91a4def6832a9f93bd012ac5054af0c7f

[stevespringett]

@jkowalleck .cryptoProperties.protocolProperties.ikev2TransformTypes.esn is defined a boolean occurring 0 or more times in XSD, but as an optional (singular) boolean in JSON schema.

See XSD here <xs:element name="esn" type="xs:boolean" minOccurs="0" maxOccurs="unbounded">

@madpah Nice catch. Corrected in https://github.com/CycloneDX/specification/commit/d278e706772a63e8e68894036a6ecacd14ec09de