Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency type definition in JSON Schema and XSD Schema are inconsistent #146

Open
ajbrown opened this issue May 11, 2022 · 2 comments · May be fixed by #158
Open

Dependency type definition in JSON Schema and XSD Schema are inconsistent #146

ajbrown opened this issue May 11, 2022 · 2 comments · May be fixed by #158

Comments

@ajbrown
Copy link

ajbrown commented May 11, 2022

The way dependency objects are defined differs between the XSD and the JSON schema and documentation. The published documentation and JSON schema define "dependsOn" as a list of BOM ref strings, whereas the XSD defines the "dependsOn" list as a list of dependency objects, which would allow them to be nested.

The inconsistency causes confusing expectations across languages / systems, as some allow for nested dependencies and others do not.

Additionally, it appears that the XSD defines an element called "dependencies" whereas the JSON schema calls it "dependsOn"

XSD Definition

    <xs:complexType name="dependencyType">
        <xs:sequence minOccurs="0" maxOccurs="unbounded">
            <xs:element name="dependency" type="bom:dependencyType"/>
        </xs:sequence>
        <xs:attribute name="ref" type="bom:refType" use="required">
            <xs:annotation>
                <xs:documentation>References a component or service by the its bom-ref attribute</xs:documentation>
            </xs:annotation>
        </xs:attribute>
        <xs:anyAttribute namespace="##other" processContents="lax">
            <xs:annotation>
                <xs:documentation>User-defined attributes may be used on this element as long as they
                    do not have the same name as an existing attribute used by the schema.</xs:documentation>
            </xs:annotation>
        </xs:anyAttribute>
    </xs:complexType>

JSON Schema Definition

"dependency": {
      "type": "object",
      "title": "Dependency",
      "description": "Defines the direct dependencies of a component. Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.",
      "required": [
        "ref"
      ],
      "additionalProperties": false,
      "properties": {
        "ref": {
          "$ref": "#/definitions/refType",
          "title": "Reference",
          "description": "References a component by the components bom-ref attribute"
        },
        "dependsOn": {
          "type": "array",
          "uniqueItems": true,
          "additionalItems": false,
          "items": {
            "$ref": "#/definitions/refType"
          },
          "title": "Depends On",
          "description": "The bom-ref identifiers of the components that are dependencies of this dependency object."
        }
      }
    }

Documentation:
Screen Shot 2022-05-11 at 12 43 28 PM

This stems from the issues raised in language libraries around nested dependencies:
@ajbrown
Copy link
Author

ajbrown commented May 11, 2022

Just as a note, it appears the field name difference is handled during (de)serialization by the 2 libraries I checked (Go, Java) so it seems there are no portability issues with that at the moment.

@madpah
Copy link

madpah commented Sep 13, 2022

Good spot @ajbrown - I just came across this working on cyclonedx-python-lib.

@stevespringett / @coderpatros - can we consider aligning the schemas more here, unless there is a good reason to require the difference?

madpah added a commit to madpah/specification that referenced this issue Sep 13, 2022
@madpah
fix: align XML schema with JSON schema for Dependency type CycloneD…
ee0dd89 
…X#146

Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah madpah linked a pull request Sep 13, 2022 that will close this issue
Open
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Sep 13, 2022
@madpah
JSON 1.4 unit tests passing except those blocked by CycloneDX/specifi…
61fceb6 
…cation#146

Signed-off-by: Paul Horton <paul.horton@owasp.org>
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Sep 14, 2022
@madpah
JSONv unit tests passing except those blocked by CycloneDX/specificat…
ac4394c 
…ion#146

Signed-off-by: Paul Horton <paul.horton@owasp.org>
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Jan 23, 2023
@madpah
JSON 1.4 unit tests passing except those blocked by CycloneDX/specifi…
40357f4 
…cation#146

Signed-off-by: Paul Horton <paul.horton@owasp.org>
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Jan 23, 2023
@madpah
JSONv unit tests passing except those blocked by CycloneDX/specificat…
9f88ce8 
…ion#146

Signed-off-by: Paul Horton <paul.horton@owasp.org>
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Jan 27, 2023
@madpah
JSON unit tests now passing - still have CycloneDX/specification#146
a185691 
…to workaround which breaks Dependency (de-)serialization for JSON

Signed-off-by: Paul Horton <paul.horton@owasp.org>
madpah added a commit to madpah/serializable that referenced this issue Jan 27, 2023
@madpah
added test to prove CycloneDX/specification#146 for CycloneDX/cyclone…
2cfc44d 
…dx-python-lib#290

Signed-off-by: Paul Horton <paul.horton@owasp.org>
madpah added a commit to CycloneDX/cyclonedx-python-lib that referenced this issue Feb 27, 2023
@madpah
work to get (de-)serialization working for Dependencies given Cyclone…
48ae201 
…DX/specification#146

Signed-off-by: Paul Horton <paul.horton@owasp.org>
@stevespringett stevespringett mentioned this issue Dec 9, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: align XML schema with JSON schema for Dependency type #146 madpah/specification
2 participants
@ajbrown @madpah