CycloneDX
Is `bom-ref` required or optional?
The 1.6 schema of a workflow, task, workspace, and trigger require a bom-ref, yet each description for a bom-ref says it is "an optional identifier". Is the description incorrect, or is the required field incorrect? The other ~20 instances of bom-ref have the same description but are not required.
For example, see: https://github.com/CycloneDX/specification/blob/e9e0e4e6f4226d60e739a957bbcdb65fd3510ffd/schema/bom-1.6.schema.json#L3881-3896
"workflow": {
"title": "Workflow",
"description": "A specialized orchestration task.",
"$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.",
"type": "object",
"required": [
"bom-ref",
"uid",
"taskTypes"
],
"additionalProperties": false,
"properties": {
"bom-ref": {
"title": "BOM Reference",
"description": "An optional identifier which can be used to reference the workflow elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.",
"$ref": "#/definitions/refType"
},
There are a few places in the spec where it’s required. This is one of them. The description in this case is defective. I’ll ensure this gets resolved in v1.7
Note to self: remove required and optional keywords from all descriptions
