specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

[Defect]: Resolve Ambiguity in Component:Version element description

Open benjsc opened this issue 1 year ago • 0 comments

Describe the defect

In the CycloneDX Spec the Component:Version element documentation states:

"The component version. The version should ideally comply with semantic versioning but is not enforced."_

The type of the field is of type: VersionType and the VersionType field shows multiple examples of what a version can look like:

  Example values:
                - "9.0.14"
                - "v1.33.7"
                - "7.0.0-M1"
                - "2.0pre1"
                - "1.0.0-beta1"
                - "0.8.15"

Due to the wording of the documentation of Component:Version field, an ambiguity arises on the correct way to populate the version element for languages which use semantic versioning but also prefix/postfix the version with extra details.

For example, golang tags it's modules prefixed with a 'v'. Giving a tag of 'v1.0.0'. However the official semantic version would be '1.0.0'.

This issues request is for the specification documentation to be updated to clarify if the Component:Version should strictly honor the Semanic Version numbering scheme, ie no prefixes, or if the Component:Version field honors the more relaxed VersionType examples.

Additional context

This clarification is requested to assist downstream sbom creators in a definitive approach for their implementation. An example being sought at: https://github.com/aquasecurity/trivy/discussions/7242

benjsc avatar Aug 12 '24 21:08 benjsc