specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

[DRAFT] extraneous components and version range constraints

Open jkowalleck opened this issue 2 years ago • 4 comments

Sketch/proposal for #321

implementing with components, because the objects referenced/required are actually used at runtime and therefore are considered a "component".

  • [x] sketch JSON schema
    • properties and assert
    • test cases
  • [x] sketch XML schema
    • properties. assert would require XSD1.1 which is not broadly implemented, yet.
    • test cases
  • [ ] sketch ProtoBuff schema
    SKIPPED THIS FOR NOW as I do not have a lot of practice with PB schema Please help :-)

jkowalleck avatar Oct 22 '23 15:10 jkowalleck

Thank you for putting this together. Few questions.

How is extraneous different from a scope with a value of excluded?

The versionRange is interesting. I like it, but it will not work in all situations. For example, if a extraneous component is Windows and the range is 2000, XP, Vista, 7, 8, 10, and 11. I think we'll need another way to specify possible versions.

stevespringett avatar Dec 27 '23 07:12 stevespringett

How is extraneous different from a scope with a value of excluded?

a component could be optional AND extraneous at the same time. current scope does not allow this. See section "possible solution" in https://github.com/CycloneDX/specification/issues/321

I guess my confusion is caused by the fact that the scope has no proper documentation - which would be fixed by #293

The versionRange is interesting. I like it, but it will not work in all situations. For example, if a extraneous component is Windows and the range is 2000, XP, Vista, 7, 8, 10, and 11. I think we'll need another way to specify possible versions.

Actually, Windows XP/Vista/etc... they all have version numbers and buildID. VERS supports complete SemVer spec -- and therefore knows the format <versionNumber>+<buildID>.
For windows: https://en.wikipedia.org/wiki/Comparison_of_Microsoft_Windows_versions. For example WindowsXP is 5.1+2600, while windows 11 with update 2023 would be 10.0+22631

I could add examples for popular operating systems and runtime-engines to bom:versionRangeType, if you want.

jkowalleck avatar Dec 27 '23 13:12 jkowalleck

I could add examples for popular operating systems and runtime-engines to bom:versionRangeType, if you want.

I don't think that's necessary. I'm just wondering how many people would understand that marketing names have actual version numbers.

stevespringett avatar Dec 28 '23 02:12 stevespringett

Dropped this issue/request from the 1.6 milestone goals, and moved it to 1.7 for the following reasons: did not finish in time for 1.6, needs further discussion.

need to migrate this PR after 1.6 was finished/published/merged ...

jkowalleck avatar Jan 29 '24 22:01 jkowalleck