xml

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Author: jkowalleck

schema/bom-1.7.schema.json

@@ -928,7 +928,7 @@
         "versionRange": {
           "$ref": "#/definitions/versionRange",
           "title": "Component Version Range",
-          "description": "The component version range that may be provided to fulfill this capability.\nMay only occur if `isExtraneous` is `true`."
+          "description": "The component version range that may be provided to fulfill this capability.\nMAY only occur if `isExtraneous` is `true`."
         },
         "description": {
           "type": "string",
@@ -1116,7 +1116,8 @@
         {
           "$comment": "`version-range` MUST only be present, if `isExtraneous` is `true`",
           "if": { "properties": { "isExtraneous": { "const": false } } },
-          "then": { "not": { "required": ["versionRange"] } }
+          "then": { "not": { "required": ["versionRange"] } },
+          "else": true
         }
       ]
     },

schema/bom-1.7.xsd

@@ -554,12 +554,20 @@ limitations under the License.
                         of the component. Examples: commons-lang3 and jquery</xs:documentation>
                 </xs:annotation>
             </xs:element>
-            <xs:element name="version" type="bom:versionType" minOccurs="0" maxOccurs="1">
-                <xs:annotation>
-                    <xs:documentation>The component version. The version should ideally comply with semantic versioning
-                        but is not enforced.</xs:documentation>
-                </xs:annotation>
-            </xs:element>
+            <xs:choice>
+                <xs:element name="version" type="bom:versionType" minOccurs="0" maxOccurs="1">
+                    <xs:annotation>
+                        <xs:documentation>The component version. The version should ideally comply with semantic versioning
+                            but is not enforced.</xs:documentation>
+                    </xs:annotation>
+                </xs:element>
+                <xs:element name="versionRange" type="bom:versionRangeType" minOccurs="0" maxOccurs="1">
+                    <xs:annotation>
+                        <xs:documentation>The component version range that may be provided to fulfill this capability.
+                            MAY only occur if `isExtraneous` is `true`.</xs:documentation>
+                    </xs:annotation>
+                </xs:element>
+            </xs:choice>
             <xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>Specifies a description for the component</xs:documentation>
@@ -753,12 +761,28 @@ limitations under the License.
                 </xs:documentation>
             </xs:annotation>
         </xs:attribute>
+        <xs:attribute name="isExtraneous" type="xs:boolean" default="false">
+            <xs:annotation>
+                <xs:documentation>
+                    Whether this component is extraneous.
+                    An extraneous component is not part of an assembly, but are (expected to be) provided by the environment, regardless of the component's `scope`.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
         <xs:anyAttribute namespace="##any" processContents="lax">
             <xs:annotation>
                 <xs:documentation>User-defined attributes may be used on this element as long as they
                     do not have the same name as an existing attribute used by the schema.</xs:documentation>
             </xs:annotation>
         </xs:anyAttribute>
+        <!--
+        this would be formal, if the support for XSD1.1's `assert` was properly implemented
+        in validators and tools digesting XML.
+        <xs:assert id="versionRange_requires_isExtraneous_eq_true"
+                   test="if (versionRange) then (@isExtraneous eq 'true') else true()">
+            child `versionRange` MAY only be present, if attribute `isExtraneous` is `true`
+        </xs:assert>
+        -->
     </xs:complexType>
 
     <xs:complexType name="licenseType">

tools/src/test/resources/1.7/informal-invalid-component-versionRange-non-extraneous-explicit.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <!--
+    this would be formal, if the support for XSD1.1's `assert` was properly implemented
+    in validators and tools digesting XML.
+    -->
+    <components>
+        <component type="library" isExtraneous="false">
+            <name>InvalidVersions</name>
+            <versionRange><![CDATA[>=9.0.0|<10.0.0]]></versionRange>
+            <description>versionRange may only exist on extraneous components, set `isExtraneous` explicit</description>
+        </component>
+    </components>
+</bom>

tools/src/test/resources/1.7/informal-invalid-component-versionRange-non-extraneous-implicit.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <!--
+    this would be formal, if the support for XSD1.1's `assert` was properly implemented
+    in validators and tools digesting XML.
+    -->
+    <components>
+        <component type="library">
+            <!-- @isExtraneous defaults to `false` -->
+            <name>InvalidVersions</name>
+            <versionRange><![CDATA[>=9.0.0|<10.0.0]]></versionRange>
+            <description>versionRange may only exist on extraneous components, set `isExtraneous` implicit by default value</description>
+        </component>
+    </components>
+</bom>

tools/src/test/resources/1.7/invalid-component-version-and-range.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <components>
+        <component type="library" isExtraneous="false">
+            <name>InvalidVersions</name>
+            <version>9.0.14</version>
+            <versionRange><![CDATA[>=9.0.0|<10.0.0]]></versionRange>
+            <description>may have `version` or `versionRange`, not both. This one does - it is invalid</description>
+        </component>
+    </components>
+</bom>

tools/src/test/resources/1.7/valid-component-extraneous-no-version-information.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <components>
+        <component type="library" isExtraneous="true">
+            <name>Foo</name>
+            <description>extraneous without any version constraints</description>
+        </component>
+    </components>
+</bom>

tools/src/test/resources/1.7/valid-component-extraneous-with-version.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <components>
+        <component type="library" isExtraneous="true">
+            <name>Foo</name>
+            <version>9.1.24</version>
+            <description>extraneous with version constraint</description>
+        </component>
+    </components>
+</bom>

tools/src/test/resources/1.7/valid-component-extraneous-with-versionRange.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <components>
+        <component type="library" isExtraneous="true">
+            <name>Foo</name>
+            <versionRange><![CDATA[>=9.0.0|<10.0.0]]></versionRange>
+            <description>extraneous with version range constraints</description>
+        </component>
+    </components>
+</bom>