Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add component.manufacture #372

Closed
wants to merge 5 commits into from
Closed

feat: add component.manufacture #372

wants to merge 5 commits into from

Conversation

jkowalleck
Copy link
Member

@jkowalleck jkowalleck commented Feb 8, 2024
edited

fixes #346

  • json schema
  • xml schema
  • protobuff schema
  • examples

@jkowalleck
feat: component manufacturer
cffc004 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck added this to the 1.6 milestone Feb 8, 2024
@jkowalleck jkowalleck requested a review from a team as a code owner February 8, 2024 12:50
jkowalleck
jkowalleck commented Feb 8, 2024
View reviewed changes
schema/bom-1.6.schema.json
"title": "Manufacture",
"description": "The organization that manufactured the component that the BOM describes.",
"title": "Manufacturer",
"description": "The organization that manufactured the CycloneDX document (the \"manufacturer\", although the property is misspelled).\nThis may be different from the manufacturer of the component that the CycloneDX document describes.",
Copy link
Member Author

@jkowalleck jkowalleck Feb 8, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❗ this would be a semantic change. technically this is a breaking change.
see also: #346 (comment)
related to #370

@jkowalleck jkowalleck marked this pull request as draft February 8, 2024 12:51
@jkowalleck
feat: component manufacturer
ad0c37b 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck marked this pull request as ready for review February 8, 2024 12:55
@jkowalleck jkowalleck changed the title feat: add component.manufacturer feat: add component.manufacture Feb 8, 2024
@jkowalleck jkowalleck linked an issue Feb 8, 2024 that may be closed by this pull request
Should manufacture be a property of component, rather than metadata? #346
Closed
@jkowalleck jkowalleck mentioned this pull request Feb 8, 2024
Closed
@jkowalleck jkowalleck marked this pull request as draft February 8, 2024 13:31
@jkowalleck
protobuff and examples
5e28d94 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
docs
2f9cd0d 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
docs
7fb26b7 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck marked this pull request as ready for review February 8, 2024 14:02
@stevespringett
Copy link
Member

Since this is a new field of component, should we use manufacturer instead of manufacture? I'd like to eventually change metadata. manufacture in v2.0 of the spec.

@jkowalleck
Copy link
Member Author

Since this is a new field of component, should we use manufacturer instead of manufacture? I'd like to eventually change metadata. manufacture in v2.0 of the spec.

I was just going with the already used field names.

Just let me know whether to use the wrong-typed existing working "manufacture",
or the correct "manufacturer" instead?
I don't have a preference.

@mrutkows
Copy link
Contributor

mrutkows commented Feb 12, 2024
edited

Just let me know whether to use the wrong-typed existing working "manufacture", or the correct "manufacturer" instead? I don't have a preference.

IMO, we should endeavor to correct to "manufacturer" where possible. Meaning when/where we introduce the field name in new objects going forward...

mrutkows
mrutkows reviewed Feb 12, 2024
View reviewed changes
schema/bom-1.6.proto
@@ -141,6 +141,8 @@ message Component {
optional ComponentData data = 26;
// Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.
optional CryptoProperties cryptoProperties = 27;
// The organization that manufactured the component (the "manufacturer", although the field is misspelled).
Copy link
Contributor

@mrutkows mrutkows Feb 12, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would recommend some qualification to the ack. of the misspelling (where it MUST be preserved for 1.x compatibility) to change from ", although the field is misspelled" to ", although the field name is acknowledged to be misspelled in this version.". To indicate/imply that it is left that way intentionally (for this version).

@mrutkows mrutkows mentioned this pull request Feb 12, 2024
Closed
@jkowalleck
Copy link
Member Author

i took the previous comemnts to heaert and will propose a significant change soon.
the idea kills two birds with one stone:

@jkowalleck jkowalleck marked this pull request as draft February 14, 2024 12:22
@jkowalleck jkowalleck requested a review from a team February 14, 2024 12:24
@jkowalleck jkowalleck mentioned this pull request Feb 14, 2024
Closed
@jkowalleck jkowalleck closed this Feb 14, 2024
@jkowalleck jkowalleck deleted the 1.6-dev_component-manufacture branch February 14, 2024 16:24
@jkowalleck
Copy link
Member Author

continued in #379

@jkowalleck jkowalleck mentioned this pull request Feb 14, 2024
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrutkows mrutkows mrutkows left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.6
Development

Successfully merging this pull request may close these issues.

Should manufacture be a property of component, rather than metadata?
3 participants
@jkowalleck @stevespringett @mrutkows