[WIP] CycloneDX 1.5.1 - Schema Alignment & Typo-/Bug‑Fix Release

.github/workflows/cibuild.yml

@@ -36,12 +36,12 @@ jobs:
         cd docgen/xml
         ./gen.sh
     - name: Archive JSON Schema documentation
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v4
       with:
         name: JSON-Schema-documentation
         path: docgen/json/docs
     - name: Archive XML Schema documentation
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v4
       with:
         name: XML-Schema-documentation
         path: docgen/xml/docs

schema/bom-1.5.proto

@@ -1,10 +1,10 @@
 syntax = "proto3";
-package cyclonedx.v1_5;
+package cyclonedx.v1_5; // 1.5.1
 import "google/protobuf/timestamp.proto";
 
 // Specifies attributes of the text
 message AttachedText {
-  // Specifies the content type of the text. Defaults to text/plain if not specified.
+  // Specifies the content type of the text. Defaults to 'text/plain' if not specified.
   optional string content_type = 1;
   // Specifies the optional encoding the text is represented in
   optional string encoding = 2;
@@ -103,9 +103,10 @@ message Component {
   string version = 9;
   // Specifies a description for the component
   optional string description = 10;
-  // Specifies the scope of the component. If scope is not specified, 'runtime' scope should be assumed by the consumer of the BOM
+  // Specifies the scope of the component. If scope is not specified, SCOPE_REQUIRED scope should be assumed by the consumer of the BOM
   optional Scope scope = 11;
   repeated Hash hashes = 12;
+  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
   repeated LicenseChoice licenses = 13;
   // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
   optional string copyright = 14;
@@ -352,7 +353,7 @@ message License {
   // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata
   optional Licensing licensing = 6;
   // Specifies optional, custom, properties
-  repeated Property properties = 7;  
+  repeated Property properties = 7;
 }
 
 message Licensing {
@@ -431,6 +432,7 @@ message Metadata {
   // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
   optional OrganizationalEntity supplier = 6;
   // The license information for the BOM document
+  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
   optional LicenseChoice licenses = 7;
   // Specifies optional, custom, properties
   repeated Property properties = 8;
@@ -554,6 +556,7 @@ message Service {
   // A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed.
   optional bool x_trust_boundary = 9;
   repeated DataFlow data = 10;
+  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
   repeated LicenseChoice licenses = 11;
   // Provides the ability to document external references related to the service.
   repeated ExternalReference external_references = 12;
@@ -572,11 +575,11 @@ message Swid {
   string tag_id = 1;
   // Maps to the name of a SoftwareIdentity.
   string name = 2;
-  // Maps to the version of a SoftwareIdentity.
+  // Maps to the version of a SoftwareIdentity. Defaults to '0.0' if not specified.
   optional string version = 3;
-  // Maps to the tagVersion of a SoftwareIdentity.
+  // Maps to the tagVersion of a SoftwareIdentity. Defaults to '0' if not specified.
   optional int32 tag_version = 4;
-  // Maps to the patch of a SoftwareIdentity.
+  // Maps to the patch of a SoftwareIdentity. Defaults to 'false' if not specified.
   optional bool patch = 5;
   // Specifies the full content of the SWID tag.
   optional AttachedText text = 6;
@@ -650,6 +653,7 @@ message EvidenceCopyright {
 }
 
 message Evidence {
+  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
   repeated LicenseChoice licenses = 1;
   repeated EvidenceCopyright copyright = 2;
   repeated EvidenceIdentity identity = 3;
@@ -956,10 +960,10 @@ message VulnerabilityAffectedVersions {
   oneof choice {
     // A single version of a component or service.
     string version = 1;
-    // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst
+    // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec
     string range = 2;
   }
-  // The vulnerability status for the version or range of versions.
+  // The vulnerability status for the version or range of versions. Defaults to VULNERABILITY_AFFECTED_STATUS_AFFECTED if not specified.
   optional VulnerabilityAffectedStatus status = 3;
 }
 
@@ -1005,6 +1009,8 @@ message ModelCard {
   optional QuantitativeAnalysis quantitativeAnalysis = 3;
   // What considerations should be taken into account regarding the model's construction, training, and application?
   optional ModelCardConsiderations considerations = 4;
+  // Specifies optional, custom, properties
+  repeated Property properties = 5;
 
   message ModelParameters {
     // The overall approach to learning used by the model for problem solving.

schema/bom-1.5.schema.json

@@ -6,8 +6,7 @@
   "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.",
   "required": [
     "bomFormat",
-    "specVersion",
-    "version"
+    "specVersion"
   ],
   "additionalProperties": false,
   "properties": {
@@ -2285,7 +2284,7 @@
                       "$ref": "#/definitions/version"
                     },
                     "range": {
-                      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst",
+                      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec",
                       "$ref": "#/definitions/range"
                     },
                     "status": {
@@ -2327,7 +2326,7 @@
       "maxLength": 1024
     },
     "range": {
-      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst",
+      "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec",
       "type": "string",
       "minLength": 1,
       "maxLength": 1024

schema/bom-1.5.xsd

@@ -22,7 +22,7 @@ limitations under the License.
            targetNamespace="http://cyclonedx.org/schema/bom/1.5"
            vc:minVersion="1.0"
            vc:maxVersion="1.1"
-           version="1.5.0">
+           version="1.5.1">
 
     <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
 
@@ -474,7 +474,7 @@ limitations under the License.
                     <xs:documentation>Specifies a description for the component</xs:documentation>
                 </xs:annotation>
             </xs:element>
-            <xs:element name="scope" type="bom:scope" minOccurs="0" maxOccurs="1">
+            <xs:element name="scope" type="bom:scope" minOccurs="0" maxOccurs="1" default="required">
                 <xs:annotation>
                     <xs:documentation>Specifies the scope of the component. If scope is not specified, 'required'
                         scope SHOULD be assumed by the consumer of the BOM.</xs:documentation>
@@ -2433,12 +2433,12 @@ limitations under the License.
             </xs:enumeration>
             <xs:enumeration value="incomplete_first_party_proprietary_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
+                    <xs:documentation>The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_first_party_opensource_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
+                    <xs:documentation>The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_third_party_only">
@@ -2885,7 +2885,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="user" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="user" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -2897,7 +2897,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="useCase" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="useCase" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -2911,7 +2911,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="technicalLimitation" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="technicalLimitation" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -2923,7 +2923,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="performanceTradeoff" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="performanceTradeoff" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -3008,6 +3008,16 @@ limitations under the License.
                     </xs:sequence>
                 </xs:complexType>
             </xs:element>
+            <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>Provides the ability to document properties in a name/value store.
+                        This provides flexibility to include data not officially supported in the standard
+                        without having to use additional namespaces or create extensions. Property names
+                        of interest to the general public are encouraged to be registered in the
+                        CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
+                        Formal registration is OPTIONAL.</xs:documentation>
+                </xs:annotation>
+            </xs:element>
         </xs:sequence>
         <xs:attribute name="bom-ref" type="bom:refType">
             <xs:annotation>
@@ -3644,7 +3654,7 @@ limitations under the License.
                                                                 </xs:element>
                                                                 <xs:element name="range" type="xs:normalizedString" minOccurs="1" maxOccurs="1">
                                                                     <xs:annotation>
-                                                                        <xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst</xs:documentation>
+                                                                        <xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec</xs:documentation>
                                                                     </xs:annotation>
                                                                 </xs:element>
                                                             </xs:choice>

schema/xmlcatalog.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0"?>
+<!--
+CycloneDX Software Bill-of-Material (SBoM) Specification
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<!--
+  This XML catalog provides mappings for CycloneDX schemas.
+  The catalog maps schema URLs to local XSD files to facilitate schema
+  validation without needing internet access.
+  Namespace: urn:oasis:names:tc:entity:xmlns:xml:catalog
+-->
+<!-- to prevent unintendedn notwork access, we do not set a DTD/XSD in this XML -->
+<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
+
+  <!-- SPDX BOM Schema -->
+  <uri name="http://cyclonedx.org/schema/spdx" uri="spdx.xsd"/>
+
+  <!-- CycloneDX BOM Schemas -->
+  <uri name="http://cyclonedx.org/schema/bom/1.0" uri="bom-1.0.xsd"/>
+  <uri name="http://cyclonedx.org/schema/bom/1.1" uri="bom-1.1.xsd"/>
+  <uri name="http://cyclonedx.org/schema/bom/1.2" uri="bom-1.2.xsd"/>
+  <uri name="http://cyclonedx.org/schema/bom/1.3" uri="bom-1.3.xsd"/>
+  <uri name="http://cyclonedx.org/schema/bom/1.4" uri="bom-1.4.xsd"/>
+  <uri name="http://cyclonedx.org/schema/bom/1.5" uri="bom-1.5.xsd"/>
+
+  <!-- Placeholder for future schemas, where 1.x is the next CycloneDX Spec Version -->
+  <!-- <uri name="http://cyclonedx.org/schema/bom/1.x" uri="bom-1.x.xsd"/> -->
+
+</catalog>

tools/pom.xml

@@ -51,11 +51,12 @@
         <maven.appassembler.plugin.version>1.10</maven.appassembler.plugin.version>
         <maven.assembly.plugin.version>3.1.0</maven.assembly.plugin.version>
         <!-- Library Versions -->
-        <lib.commons.io.version>2.7</lib.commons.io.version>
-        <lib.commons.lang3.version>3.6</lib.commons.lang3.version>
-        <lib.commons.text.version>1.2</lib.commons.text.version>
+        <lib.commons.io.version>2.17.0</lib.commons.io.version>
+        <lib.commons.lang3.version>3.18.0</lib.commons.lang3.version>
+        <lib.commons.text.version>1.12.0</lib.commons.text.version>
+        <lib.json.schema.validator>1.5.5</lib.json.schema.validator>
         <lib.unirest.version>1.4.9</lib.unirest.version>
-        <lib.cyclonedx.core.java.version>7.2.0</lib.cyclonedx.core.java.version>
+        <lib.slf4j.api>2.0.16</lib.slf4j.api>
     </properties>
 
     <scm>
@@ -98,6 +99,24 @@
         </repository>
     </repositories>
 
+    <dependencyManagement>
+        <dependencies>
+
+            <dependency>
+                <groupId>org.slf4j</groupId>
+                <artifactId>slf4j-api</artifactId>
+                <version>${lib.slf4j.api}</version>
+            </dependency>
+
+            <dependency>
+                <groupId>org.slf4j</groupId>
+                <artifactId>slf4j-simple</artifactId>
+                <version>${lib.slf4j.api}</version>
+            </dependency>
+
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <!-- Apache Commons -->
         <dependency>
@@ -123,16 +142,22 @@
             <scope>compile</scope>
         </dependency>
         <!-- Unit tests -->
+        <dependency>
+            <groupId>com.networknt</groupId>
+            <artifactId>json-schema-validator</artifactId>
+            <version>${lib.json.schema.validator}</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
-            <artifactId>junit-jupiter-engine</artifactId>
-            <version>5.7.0</version>
+            <artifactId>junit-jupiter-api</artifactId>
+            <version>5.11.4</version>
             <scope>test</scope>
         </dependency>
+        <!-- Runtime-only test dependency -->
         <dependency>
-            <groupId>org.cyclonedx</groupId>
-            <artifactId>cyclonedx-core-java</artifactId>
-            <version>${lib.cyclonedx.core.java.version}</version>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
             <scope>test</scope>
         </dependency>
     </dependencies>
@@ -142,8 +167,16 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.0.0-M5</version>
+                <version>3.5.2</version>
             </plugin>
         </plugins>
+        <testResources>
+            <testResource>
+                <directory>${project.basedir}/../schema</directory>
+            </testResource>
+            <testResource>
+                <directory>src/test/resources</directory>
+            </testResource>
+        </testResources>
     </build>
 </project>

tools/src/test/java/org/cyclonedx/schema/BaseSchemaVerificationTest.java

@@ -28,20 +28,18 @@ List<String> getAllResources() throws Exception {
         files.addAll(getResources("1.2/"));
         files.addAll(getResources("1.3/"));
         files.addAll(getResources("1.4/"));
+        files.addAll(getResources("1.5/"));
         return files;
     }
 
-    List<String> getResources(final String resourceDirectory) throws Exception {
-        final List<String> files = new ArrayList<>();
-        String dir = resourceDirectory;
-        if (!resourceDirectory.endsWith("/")) {
-            dir += "/";
-        }
-        try (InputStream in = this.getClass().getClassLoader().getResourceAsStream(dir)) {
+    private List<String> getResources(final String resourceDirectory) throws Exception {
+        final List<String> resources = new ArrayList<>();
+        try (InputStream in = this.getClass().getClassLoader().getResourceAsStream(resourceDirectory)) {
             if (in != null) {
-                files.addAll(IOUtils.readLines(in, StandardCharsets.UTF_8));
+                IOUtils.readLines(in, StandardCharsets.UTF_8)
+                        .forEach(resource -> resources.add(resourceDirectory + resource));
             }
         }
-        return files;
+        return resources;
     }
 }