feat: support for external components with version-ranges #586
Conversation
...s/src/test/resources/1.7/informal-invalid-component-versionRange-non-extraneous-explicit.xml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Looks good to me, although I think we should clarify better, when isExtraneous is used.
For example I don't think isExtraneous makes sense in $.metadata.component even if versionRange is used.
Also, in a CycloneDX VDR/VEX document, isExtraneous does not make sense.
related to #321 #321 Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
force-pushed
the
feat/extraneous-component
branch
from
3e1eb53 to
7a52828
Compare
Co-authored-by: Piotr P. Karwasz <[email protected]> Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
|
This is great! I guess it would be good to make explicit that you should not include hashes for extraneous components? Also, since different versions may have different transitive dependencies, does that mean no transitive dependencies should be listed for extraneous components? Or is it OK to keep listing those (as long as they're also marked extraneous) and leave it up to the downstream consumer of the sbom to drop no-longer-relevant extraneous components as needed? |
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
I thought about dropping transitive dependencies too, but some usages require to have at least a draft of what transitive dependencies could appear. For example we could link a CycloneDX SBOM to a CycloneDX VEX. In order to know, which CVEs published by dependencies will be analyzed in the VEX, we need to provide an approximate list of transitive dependencies. While commercial manufacturers might be required to answer questions like "Is my Java application vulnerable to this Go CVE", OSS projects will certainly not answer questions beyond the dependencies listed in the SBOM. |
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
|
regarding transitive dependencies, hashes and such. nope. hashes CAN be used, even for extraneous dependencies. all is a MAY/CAN -- not a MUST. |
Signed-off-by: Jan Kowalleck <[email protected]>
|
refined the wordings based on your feedback. |
jkowalleck
changed the title
jkowalleck
changed the title
|
@stevespringett this one is ready for review |
|
RFC notice sent. Public RFC period ends March 18, 2025 |
jkowalleck
added
the
RFC notice sent
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
added
tc54 reviewed
|
this was reviewed and accepted by TG54 on 2025-04-03 |
jkowalleck
requested review from
ppkarwasz and
stevespringett
and removed request for
ppkarwasz
## Fixed * XML schema: add type for `ComponentData` sub-elements ([#600] via [#601]) * JSON schema: added the correct `deprecated` mark for already deprecated structures (via [a973a6b]) ## Deprecated * Deprecated various fields and structures related to _cryptographic transparency_ - _CBOM_ . (via [#657]) Use the newly added structures and fields for detailing the information instead. ## Changed * Extended the scope of _formulations_. (via [#647]) From now on, _formulations_ may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself. Before, it was restricted to components and services. ## Added * Support for _external components_ with _version-ranges_ ([#321] via [#586]) * Support for _multiple_ SPDX License Expressions alongside with other licenses ([#454] via [#582]) * Support for _Streebog hashing algorithm_ ([#485] via [#525]) * Support for license expression _details and properties_ ([#549], [#554] via [#599]) * Support for expressing BOM distribution constraints with the _Traffic Light Protocol_ (TLP) in metadata ([#595] via [#604], [#653]) * Support for representing _patent information_ ([#596] via [#597]) * Support for _properties_ on external-references ([#608] via [#610]) * Support for _citations_ ([#630] via [#629]) * Support for detailing _cryptographic transparency_ information - _CBOM_ ([#569] via [#657]) ## Documentation * Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters ([#233] via [#647]) * Removed the term "optional" from the schema where the definition was already unambiguous ([#616], [#649] via [#680]) ## Test data * Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf [#233]: #233 [#321]: #321 [#454]: #454 [#485]: #485 [#525]: #525 [#549]: #549 [#554]: #554 [#569]: #569 [#582]: #582 [#586]: #586 [#595]: #595 [#596]: #596 [#597]: #597 [#599]: #599 [#600]: #600 [#601]: #601 [#604]: #604 [#608]: #608 [#610]: #610 [#616]: #616 [#629]: #629 [#630]: #630 [#647]: #647 [#649]: #649 [#653]: #653 [#657]: #657 [#680]: #680 [a973a6b]: a973a6b ---- - fixes #233 - fixes #321 - fixes #454 - fixes #485 - fixes #549 - fixes #554 - fixes #595 - fixes #596 - fixes #600 - fixes #608 - fixes #629 - fixes #616 - fixes #649
As discussed in ticket #321, this PR adds the following abilities:
fixes #321
Note
this one supersedes #326 <-- read there for more background and previous discussions
implementing with
components, because the objects referenced/required are actually used at runtime and therefore are considered a "component".Sketch/proposal for #321
no asserts - this would require XSD1.1 which is not broadly implemented, yet.
Note
ALL FEEDBACK IS WELCOME! Yes, everything.
but some might not be resolved in this very PR, but in the authoritative guides. See #586 (comment)