specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

Added citation support and test cases.

Open stevespringett opened this issue 8 months ago • 2 comments

TODO/DONE

  • [x] JSON schema modified
  • [x] XML schema modified
  • [x] ProtoBuf schema modified
  • [x] JSON examples/test data crafted
  • [x] XML examples/test data crafted
  • [x] ProtoBuf examples/test data crafted

stevespringett avatar May 01 '25 20:05 stevespringett

RFC notice sent on May 1, 2025

  • https://groups.io/g/CycloneDX/message/309
  • https://cyclonedx.slack.com/archives/CVA0G10FN/p1746132948459179

Public RFC period ended May 29, 2025

jkowalleck avatar Jun 05 '25 08:06 jkowalleck

@stevespringett i see lacks in the implementation. I'd reject the current version for its unclear implementation.

jkowalleck avatar Jun 05 '25 08:06 jkowalleck

my remark was clarified. since there is no question left in the spec, this is ready for TC54 vote.

i will fix the current merge conflicts, and i will add additional valid/invalid examples according to spec, and might adjust the schemas to detect the invalid cases if possible.

PS: got it implemented in XSD via https://github.com/CycloneDX/specification/pull/630/commits/abcc29d4581bc762b51aaffbd58b5953a1cf2909 but the Java/Saxon foo is breaking for poor implementation - https://github.com/CycloneDX/specification/actions/runs/16050317279/job/45291176560?pr=630 will revert the XSD improvements. :sob:

jkowalleck avatar Jul 03 '25 11:07 jkowalleck

after reading this spec again, i really do not like it. :-1:

the idea of pointer is a horror for most implementations that use (unsorted) sets for data storage. the order of most elements never really mattered, but now it does. this spec is much to much dependent of schema implementations (XML/JSON/PB) and programming-language implementations.

PS:

I understand the idea - have something to annotate everything, without the need of adding bom-ref at all objects. Unfortunately, the proposed spec with pointers is not an ideal solution for the following points.

  • it makes transformation (e.g. from JSON to XML) non-trivial/complex/hard - since data structures are not the same in all schemas
  • it is not downstream-implementation friendly - since it requires tracking order of elements.

Were alternatives considered during the development of this solution?

jkowalleck avatar Jul 03 '25 11:07 jkowalleck

The updated PR adds support for "expressions" supporting both JSONPath and XPath. The choice of using a pointer or an expression has been implemented in JSON and XML and explained in the protobuf.

The definition of formulation has been extended to capture its true purpose.

stevespringett avatar Aug 05 '25 02:08 stevespringett