initial spec1.4 implementation (#65)

* fetch spec 1.4 schema files
* CycloneDX spec 1.4 implementation

HISTORY.md

@@ -6,6 +6,23 @@ All notable changes to this project will be documented in this file.
 
 ## 2.0.0 - unreleased
 
+* BREAKING changes
+  * Interface `\CycloneDX\Core\Spec\SpecInterface` became internal, was public api. (via [#65])  
+    This is done to prevent the need for future "breaking changed" when the schema requires additional spec implementations.
+* Changed
+  * Method `\CycloneDX\Core\Serialize\{DOM,JSON}\Normalizers\ExternalReferenceNormalizer::normalize` throw `DomainException` when `ExternalReference`'s type was not supported by the spec.  (via [#65])  
+    This is considered a non-breaking change, because the behaviour was already documented in the API, even though there was no need for an implementation before.
+* Added
+  * New class constant `\CycloneDX\Core\Spec\Version::V_1_4` for CycloneDX v1.4. (via [#65])
+  * New class `\CycloneDX\Core\Spec\Spec14` to reflect CycloneDX v1.4. (via [#65])
+  * Support for CycloneDX v1.4 in `CycloneDX\Core\Validation\Validators\{Json,Xml}StrictValidator`. (via [#65])
+  * New methods in class `\CycloneDX\Core\Spec\Spec1{1,2,3}` (via [#65])
+    * `::getSupportsExternalReferenceTypes()`
+    * `::isSupportsExternalReferenceType()`
+  * New class constant `CycloneDX\Core\Enums\ExternalReferenceType::RELEASE_NOTES` to reflect CycloneDX v1.4. (via [#65])
+
+[#65]: https://github.com/CycloneDX/cyclonedx-php-library/pull/65
+
 ## 1.6.2 - 2022-09-12
 
 Maintenance release.

res/README.md

@@ -16,9 +16,12 @@ Currently using version
 | [`bom-1.1.SNAPSHOT.xsd`](bom-1.1.SNAPSHOT.xsd) | `http://cyclonedx.org/schema/spdx` was replaced with `spdx.SNAPSHOT.xsd` |
 | [`bom-1.2.SNAPSHOT.xsd`](bom-1.2.SNAPSHOT.xsd) | `http://cyclonedx.org/schema/spdx` was replaced with `spdx.SNAPSHOT.xsd` |
 | [`bom-1.3.SNAPSHOT.xsd`](bom-1.3.SNAPSHOT.xsd) | `http://cyclonedx.org/schema/spdx` was replaced with `spdx.SNAPSHOT.xsd` |
+| [`bom-1.4.SNAPSHOT.xsd`](bom-1.4.SNAPSHOT.xsd) | `http://cyclonedx.org/schema/spdx` was replaced with `spdx.SNAPSHOT.xsd` |
 | [`bom-1.2.SNAPSHOT.schema.json`](bom-1.2.SNAPSHOT.schema.json) | `spdx.schema.json` was replaced with `spdx.SNAPSHOT.schema.json` |
 | [`bom-1.3.SNAPSHOT.schema.json`](bom-1.3.SNAPSHOT.schema.json) | `spdx.schema.json` was replaced with `spdx.SNAPSHOT.schema.json` |
+| [`bom-1.4.SNAPSHOT.schema.json`](bom-1.4.SNAPSHOT.schema.json) | `spdx.schema.json` was replaced with `spdx.SNAPSHOT.schema.json` |
 | [`bom-1.2-strict.SNAPSHOT.schema.json`](bom-1.2-strict.SNAPSHOT.schema.json) | `spdx.schema.json` was replaced with `spdx.SNAPSHOT.schema.json` |
 | [`bom-1.3-strict.SNAPSHOT.schema.json`](bom-1.3-strict.SNAPSHOT.schema.json) | `spdx.schema.json` was replaced with `spdx.SNAPSHOT.schema.json` |
 | [`spdx.SNAPSHOT.xsd`](spdx.SNAPSHOT.xsd) | |
 | [`spdx.SNAPSHOT.schema.json`](spdx.SNAPSHOT.schema.json) | |
+| [`jsf-0.82.SNAPSHOT.schema.json`](jsf-0.82.SNAPSHOT.schema.json) | |

res/jsf-0.82.SNAPSHOT.schema.json

@@ -0,0 +1,244 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "http://cyclonedx.org/schema/jsf-0.82.schema.json",
+  "type": "object",
+  "title": "JSON Signature Format (JSF) standard",
+  "$comment" : "JSON Signature Format schema is published under the terms of the Apache License 2.0. JSF was developed by Anders Rundgren (anders.rundgren.net@gmail.com) as a part of the OpenKeyStore project. This schema supports the entirely of the JSF standard excluding 'extensions'.",
+  "definitions": {
+    "signature": {
+      "type": "object",
+      "title": "Signature",
+      "oneOf": [
+        {
+          "additionalProperties": false,
+          "properties": {
+            "signers": {
+              "type": "array",
+              "title": "Signature",
+              "description": "Unique top level property for Multiple Signatures. (multisignature)",
+              "additionalItems": false,
+              "items": {"$ref": "#/definitions/signer"}
+            }
+          }
+        },
+        {
+          "additionalProperties": false,
+          "properties": {
+            "chain": {
+              "type": "array",
+              "title": "Signature",
+              "description": "Unique top level property for Signature Chains. (signaturechain)",
+              "additionalItems": false,
+              "items": {"$ref": "#/definitions/signer"}
+            }
+          }
+        },
+        {
+          "title": "Signature",
+          "description": "Unique top level property for simple signatures. (signaturecore)",
+          "$ref": "#/definitions/signer"
+        }
+      ]
+    },
+    "signer": {
+      "type": "object",
+      "title": "Signature",
+      "required": [
+        "algorithm",
+        "value"
+      ],
+      "additionalProperties": false,
+      "properties": {
+        "algorithm": {
+          "oneOf": [
+            {
+              "type": "string",
+              "title": "Algorithm",
+              "description": "Signature algorithm. The currently recognized JWA [RFC7518] and RFC8037 [RFC8037] asymmetric key algorithms. Note: Unlike RFC8037 [RFC8037] JSF requires explicit Ed* algorithm names instead of \"EdDSA\".",
+              "enum": [
+                "RS256",
+                "RS384",
+                "RS512",
+                "PS256",
+                "PS384",
+                "PS512",
+                "ES256",
+                "ES384",
+                "ES512",
+                "Ed25519",
+                "Ed448",
+                "HS256",
+                "HS384",
+                "HS512"
+              ]
+            },
+            {
+              "type": "string",
+              "title": "Algorithm",
+              "description": "Signature algorithm. Note: If proprietary signature algorithms are added, they must be expressed as URIs.",
+              "format": "uri"
+            }
+          ]
+        },
+        "keyId": {
+          "type": "string",
+          "title": "Key ID",
+          "description": "Optional. Application specific string identifying the signature key."
+        },
+        "publicKey": {
+          "title": "Public key",
+          "description": "Optional. Public key object.",
+          "$ref": "#/definitions/publicKey"
+        },
+        "certificatePath": {
+          "type": "array",
+          "title": "Certificate path",
+          "description": "Optional. Sorted array of X.509 [RFC5280] certificates, where the first element must contain the signature certificate. The certificate path must be contiguous but is not required to be complete.",
+          "additionalItems": false,
+          "items": {
+            "type": "string"
+          }
+        },
+        "excludes": {
+          "type": "array",
+          "title": "Excludes",
+          "description": "Optional. Array holding the names of one or more application level properties that must be excluded from the signature process. Note that the \"excludes\" property itself, must also be excluded from the signature process. Since both the \"excludes\" property and the associated data it points to are unsigned, a conforming JSF implementation must provide options for specifying which properties to accept.",
+          "additionalItems": false,
+          "items": {
+            "type": "string"
+          }
+        },
+        "value": {
+          "type": "string",
+          "title": "Signature",
+          "description": "The signature data. Note that the binary representation must follow the JWA [RFC7518] specifications."
+        }
+      }
+    },
+    "keyType": {
+      "type": "string",
+      "title": "Key type",
+      "description": "Key type indicator.",
+      "enum": [
+        "EC",
+        "OKP",
+        "RSA"
+      ]
+    },
+    "publicKey": {
+      "title": "Public key",
+      "description": "Optional. Public key object.",
+      "type": "object",
+      "required": [
+        "kty"
+      ],
+      "additionalProperties": true,
+      "properties": {
+        "kty": {
+          "$ref": "#/definitions/keyType"
+        }
+      },
+      "allOf": [
+        {
+          "if": {
+            "properties": { "kty": { "const": "EC" } }
+          },
+          "then": {
+            "required": [
+              "kty",
+              "crv",
+              "x",
+              "y"
+            ],
+            "additionalProperties": false,
+            "properties": {
+              "kty": {
+                "$ref": "#/definitions/keyType"
+              },
+              "crv": {
+                "type": "string",
+                "title": "Curve name",
+                "description": "EC curve name.",
+                "enum": [
+                  "P-256",
+                  "P-384",
+                  "P-521"
+                ]
+              },
+              "x": {
+                "type": "string",
+                "title": "Coordinate",
+                "description": "EC curve point X. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"P-521\", the decoded argument must be 66 bytes."
+              },
+              "y": {
+                "type": "string",
+                "title": "Coordinate",
+                "description": "EC curve point Y. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"P-256\", the decoded argument must be 32 bytes."
+              }
+            }
+          }
+        },
+        {
+          "if": {
+            "properties": { "kty": { "const": "OKP" } }
+          },
+          "then": {
+            "required": [
+              "kty",
+              "crv",
+              "x"
+            ],
+            "additionalProperties": false,
+            "properties": {
+              "kty": {
+                "$ref": "#/definitions/keyType"
+              },
+              "crv": {
+                "type": "string",
+                "title": "Curve name",
+                "description": "EdDSA curve name.",
+                "enum": [
+                  "Ed25519",
+                  "Ed448"
+                ]
+              },
+              "x": {
+                "type": "string",
+                "title": "Coordinate",
+                "description": "EdDSA curve point X. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"Ed25519\", the decoded argument must be 32 bytes."
+              }
+            }
+          }
+        },
+        {
+          "if": {
+            "properties": { "kty": { "const": "RSA" } }
+          },
+          "then": {
+            "required": [
+              "kty",
+              "n",
+              "e"
+            ],
+            "additionalProperties": false,
+            "properties": {
+              "kty": {
+                "$ref": "#/definitions/keyType"
+              },
+              "n": {
+                "type": "string",
+                "title": "Modulus",
+                "description": "RSA modulus."
+              },
+              "e": {
+                "type": "string",
+                "title": "Exponent",
+                "description": "RSA exponent."
+              }
+            }
+          }
+        }
+      ]
+    }
+  }
+}

src/Core/Enums/Classification.php

@@ -30,6 +30,7 @@
  * See {@link https://cyclonedx.org/schema/bom/1.1 Schema 1.1} for `classification`.
  * See {@link https://cyclonedx.org/schema/bom/1.2 Schema 1.2} for `classification`.
  * See {@link https://cyclonedx.org/schema/bom/1.3 Schema 1.3} for `classification`.
+ * See {@link https://cyclonedx.org/schema/bom/1.4 Schema 1.4} for `classification`.
  *
  * @author jkowalleck
  */

src/Core/Enums/ExternalReferenceType.php

@@ -27,6 +27,7 @@
  * See {@link https://cyclonedx.org/schema/bom/1.1 Schema 1.1} for `externalReferenceType`.
  * See {@link https://cyclonedx.org/schema/bom/1.2 Schema 1.2} for `externalReferenceType`.
  * See {@link https://cyclonedx.org/schema/bom/1.3 Schema 1.3} for `externalReferenceType`.
+ * See {@link https://cyclonedx.org/schema/bom/1.4 Schema 1.4} for `externalReferenceType`.
  *
  * @author jkowalleck
  */
@@ -60,6 +61,8 @@ abstract class ExternalReferenceType
     public const BUILD_META = 'build-meta';
     /** URL to an automated build system. */
     public const BUILD_SYSTEM = 'build-system';
+    /** URL to release notes. */
+    public const RELEASE_NOTES = 'release-notes';
     /** Use this if no other types accurately describe the purpose of the external reference. */
     public const OTHER = 'other';
 

src/Core/Enums/HashAlgorithm.php

@@ -28,6 +28,7 @@
  * See {@link https://cyclonedx.org/schema/bom/1.1 Schema 1.1} for `hashAlg`.
  * See {@link https://cyclonedx.org/schema/bom/1.2 Schema 1.2} for `hashAlg`.
  * See {@link https://cyclonedx.org/schema/bom/1.3 Schema 1.3} for `hashAlg`.
+ * See {@link https://cyclonedx.org/schema/bom/1.4 Schema 1.4} for `hashAlg`.
  *
  * @author jkowalleck
  */

src/Core/Helpers/NullAssertionTrait.php

@@ -26,7 +26,7 @@
 /**
  * @author jkowalleck
  *
- * @internal
+ * @internal as this trait may be affected by breaking changes without notice
  */
 trait NullAssertionTrait
 {

src/Core/Helpers/SimpleDomTrait.php

@@ -28,7 +28,7 @@
 use DOMNode;
 
 /**
- * @internal
+ * @internal as this trait may be affected by breaking changes without notice
  *
  * @author jkowalleck
  */

src/Core/Helpers/XmlTrait.php

@@ -28,7 +28,7 @@
 /**
  * @author jkowalleck
  *
- * @internal
+ * @internal as this trait may be affected by breaking changes without notice
  */
 trait XmlTrait
 {

src/Core/Models/BomRef.php

@@ -24,13 +24,13 @@
 namespace CycloneDX\Core\Models;
 
 /**
- * An identifier which can be used to reference objects elsewhere in the BOM.
+ * Identifier-DataType for interlinked elements.
+ *
+ * Class is currently final, to enforce proper usage.
  *
  * Implementation is intended to prevent memory leaks.
  * See ../../../docs/dev/decisions/BomDependencyDataModel.md
  *
- * Class is currently final, to enforce proper usage.
- *
  * @author jkowalleck
  */
 final class BomRef

src/Core/Models/License/AbstractDisjunctiveLicense.php

@@ -26,7 +26,7 @@
 /**
  * @author jkowalleck
  *
- * @internal
+ * @internal as this class may be affected by breaking changes without notice
  */
 abstract class AbstractDisjunctiveLicense
 {