protobuf Metadata licenses should be repeated #264

b-grooters-byte · 2023-07-11T23:23:01Z

The protobuf specification for bom MetaData does not appear match the XML and JSON specifications. It seems that the licenses field should be a repeated, rather than optional, field in the MetaData to match the JSON and XML schema specification for the same field.
Proto:

message LicenseChoice {
  oneof choice {
    License license = 1;
    string expression = 2;
  }
}

message Metadata {
 ...
  // The license information for the BOM document
  optional LicenseChoice licenses = 7;
  // Specifies optional, custom, properties
  repeated Property properties = 8;
}

JSON:

"metadata": {
      "type": "object",
      "title": "BOM Metadata Object",

"licenses": {
          "type": "array",
          "title": "BOM License(s)",
          "additionalItems": false,
          "items": {"$ref": "#/definitions/licenseChoice"}
        },

A similar apparent discrepancy appears in the v1.5 specifications from proto to JSON.

The text was updated successfully, but these errors were encountered:

jkowalleck · 2024-02-28T14:05:58Z

looks like a low hanging fruit.
i might work on this for 1.6, as soon as #385 is in

fixes #264

## Added * Core enhancement: Attestation ([#192](#192) via [#348](#348)) * Core enhancement: Cryptography Bill of Materials — CBOM ([#171](#171), [#291](#291) via [#347](#347)) * Feature to express the URL to source distribution ([#98](#98) via [#269](#269)) * Feature to express the URL to RFC 9116 compliant documents ([#380](#380) via [#381](#381)) * Feature to express tags/keywords for services and components (via [#383](#383)) * Feature to express details for component authors ([#335](#335) via [#379](#379)) * Feature to express details for component and BOM manufacturer ([#346](#346) via [#379](#379)) * Feature to express communicate concluded values from observed evidences ([#411](#411) via [#412](#412)) * Features to express license acknowledgement ([#407](#407) via [#408](#408)) * Feature to express environmental consideration information for model cards ([#396](#396) via [#395](#395)) * Feature to express the address of organizational entities (via [#395](#395)) * Feature to express additional component identifiers: Universal Bill Of Receipts Identifier and Software Heritage persistent IDs ([#413](#413) via [#414](#414)) ## Fixed * Allow multiple evidence identities by XML/JSON schema ([#272](#272) via [#359](#359)) This was already correct via ProtoBuff schema. * Prevent empty `license` entities by XML schema ([#288](#288) via [#292](#292)) This was already correct in JSON/ProtoBuff schema. * Prevent empty or malformed `property` entities by JSON schema ([#371](#371) via [#375](#375)) This was already correct in XML/ProtoBuff schema. * Allow multiple `licenses` in `Metadata` by ProtoBuff schema ([#264](#264) via [#401](#401)) This was already correct in XML/JSON schema. ## Changed * Allow arbitrary `$schema` values by JSON schema ([#402](#402) via [#403](#403)) * Increased max length of `versionRange` (via [`3e01ce6`](3e01ce6)) * Harmonized length of `version` (via [#417](#417)) ## Deprecated * Data model "Component"'s field `author` was deprecated. (via [#379](#379)) Use field `authors` or field `manufacturer` instead. * Data model "Metadata"'s field `manufacture` was deprecated. ([#346](#346) via [#379](#379)) Use "Metadata"'s field `component`'s field `manufacturer` instead. - for XML: `/bom/metadata/component/manufacturer` - for JSON: `$.metadata.component.manufacturer` - for ProtoBuf: `Bom:metadata.component.manufacturer` ## Documentation * Centralize version and version-range (via [#322](#322)) * Streamlined SPDX expression related descriptions (via [#327](#327)) * Enhanced descriptions of `bom-ref`/`refType` ([#336](#336) via [#344](#344)) * Enhanced readability of enum documentation in JSON schema ([#361](#361) via [#362](#362)) * Fixed typo "compliment" -> "complement" (via [#369](#369)) * Added documentation for enum "ComponentScope"'s values in JSON schema ([#293](#293) via [`d92e58e`](d92e58e)) Texts were a taken from the existing ones in XML/ProtoBuff schema. * Added documentation for enum "TaskType"'s values ([#245](#245) via [#377](#377)) * Improve documentation for data model "Metadata"'s field `licenses` ([#273](#273) via [#378](#378)) * Added documentation for enum "MachineLearningApproachType"'s values ([#351](#351) via [#416](#416)) * Rephrased some texts here and there. ## Test data * Added test data for newly added use cases * Added quality assurance for our ProtoBuf schemas ([#384](#384) via [#385](#385))

jkowalleck added defect CDX 1.5 related to release v1.5 CDX 1.4 related to release v1.4 CDX 1.3 related to release v1.3 labels Jul 12, 2023

jkowalleck added the validated label Sep 12, 2023

jkowalleck removed CDX 1.5 related to release v1.5 CDX 1.4 related to release v1.4 labels Oct 15, 2023

jkowalleck added the format: ProtoBuf label Feb 28, 2024

jkowalleck added this to the 1.6 milestone Feb 28, 2024

jkowalleck self-assigned this Mar 18, 2024

jkowalleck mentioned this issue Mar 18, 2024

fix: protobuf Metadata.licenses repeated #401

Merged

jkowalleck linked a pull request Mar 18, 2024 that will close this issue

fix: protobuf Metadata.licenses repeated #401

Merged

stevespringett added a commit that referenced this issue Mar 23, 2024

fix: protobuf Metadata.licenses repeated (#401)

7a9208a

fixes #264

stevespringett closed this as completed Mar 23, 2024

jkowalleck mentioned this issue Mar 23, 2024

v1.6 #323

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

protobuf Metadata licenses should be repeated #264

protobuf Metadata licenses should be repeated #264

b-grooters-byte commented Jul 11, 2023

jkowalleck commented Feb 28, 2024

protobuf Metadata licenses should be repeated #264

protobuf Metadata licenses should be repeated #264

Comments

b-grooters-byte commented Jul 11, 2023

jkowalleck commented Feb 28, 2024