draft: JSON - extraneous comp and version range

jkowalleck · jkowalleck · commit 4aef00553299 · 2025-02-05T14:56:53.000+01:00
related to #321 #321 Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json
@@ -925,6 +925,10 @@
           "title": "Component Version",
           "description": "The component version. The version should ideally comply with semantic versioning but is not enforced."
         },
+        "versionRange": {
+          "$ref": "#/definitions/versionRange",
+          "title": "Component Version Range"
+        },
         "description": {
           "type": "string",
           "title": "Component Description",
@@ -946,6 +950,12 @@
           "description": "Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.",
           "default": "required"
         },
+        "isExtraneous": {
+          "type": "boolean",
+          "title": "Component Is Extraneous",
+          "description": "Whether this component is extraneous.\nAn extraneous component is not part of an assembly, but are (expected to be) provided by the environment, regardless of the component's `scope`.",
+          "default": false
+        },
         "hashes": {
           "type": "array",
           "title": "Component Hashes",
@@ -1096,7 +1106,18 @@
           "title": "Signature",
           "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
         }
-      }
+      },
+      "allOf": [
+        {
+          "$comment": "property `version` and `versionRange` MUST NOT exist at the same time.",
+          "not": { "required": ["version", "versionRange"] }
+        },
+        {
+          "$comment": "`version-range` MUST only be present, if `isExtraneous` is `true`",
+          "if": { "properties": { "isExtraneous": { "const": false } } },
+          "then": { "not": { "required": ["versionRange"] } }
+        }
+      ]
     },
     "swid": {
       "type": "object",
diff --git a/tools/src/test/resources/1.7/invalid-component-version-and-range.json b/tools/src/test/resources/1.7/invalid-component-version-and-range.json
@@ -0,0 +1,15 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "InvalidVersions",
+      "description": "may have `version` or `versionRange`, not both. This one does - it is invalid",
+      "version": "9.0.14",
+      "versionRange": ">=9.0.0|<10.0.0"
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.7/invalid-component-versionRange-non-extraneous-explicit.json b/tools/src/test/resources/1.7/invalid-component-versionRange-non-extraneous-explicit.json
@@ -0,0 +1,15 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "InvalidVersions",
+      "description": "versionRange may only exist on extraneous components, set `isExtraneous` explicit",
+      "isExtraneous": false,
+      "versionRange": ">=9.0.0|<10.0.0"
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.7/invalid-component-versionRange-non-extraneous-implicit.json b/tools/src/test/resources/1.7/invalid-component-versionRange-non-extraneous-implicit.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "InvalidVersions",
+      "description": "versionRange may only exist on extraneous components, set `isExtraneous` implicit by default value",
+      "versionRange": ">=9.0.0|<10.0.0"
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.7/valid-component-extraneous-no-version-information.json b/tools/src/test/resources/1.7/valid-component-extraneous-no-version-information.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "Foo",
+      "description": "extraneous without any version constraints",
+      "isExtraneous": true
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.7/valid-component-extraneous-with-version.json b/tools/src/test/resources/1.7/valid-component-extraneous-with-version.json
@@ -0,0 +1,15 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "Foo",
+      "description": "extraneous with version constraint",
+      "isExtraneous": true,
+      "version": "9.1.24"
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.7/valid-component-extraneous-with-versionRange.json b/tools/src/test/resources/1.7/valid-component-extraneous-with-versionRange.json
@@ -0,0 +1,15 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "Foo",
+      "description": "extraneous with version range constraints",
+      "isExtraneous": true,
+      "versionRange": ">=9.0.0|<10.0.0"
+    }
+  ]
+}
