Added support for concluded value. Updated test cases. (#412)

Closes #411 - [x] modify JSON schema - [x] modify XML schema - [x] modify protobuf schema - [x] add examples & test resources
CycloneDX · Mar 28, 2024 · 6e90b46 · 6e90b46
2 parents 2b8fd26 + 45db721
commit 6e90b46
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 0 deletions.
diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto
@@ -729,6 +729,8 @@ message EvidenceIdentity {
   repeated EvidenceMethods methods = 3;
   // The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation.
   repeated string tools = 4;
+  // The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available).
+  optional string concludedValue = 5;
 }
 
 message EvidenceMethods {

diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
@@ -4447,6 +4447,11 @@
           "title": "Confidence",
           "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."
         },
+        "concludedValue": {
+          "type": "string",
+          "title": "Concluded Value",
+          "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."
+        },
         "methods": {
           "type": "array",
           "title": "Methods",

diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
@@ -2356,6 +2356,11 @@ limitations under the License.
                                 <xs:documentation>The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence.</xs:documentation>
                             </xs:annotation>
                         </xs:element>
+                        <xs:element name="concludedValue" type="xs:string" minOccurs="0" maxOccurs="1">
+                            <xs:annotation>
+                                <xs:documentation>The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available).</xs:documentation>
+                            </xs:annotation>
+                        </xs:element>
                         <xs:element name="methods" minOccurs="0" maxOccurs="1">
                             <xs:annotation>
                                 <xs:documentation>The methods used to extract and/or analyze the evidence.</xs:documentation>

diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.json b/tools/src/test/resources/1.6/valid-evidence-1.6.json
@@ -117,6 +117,7 @@
           {
             "field": "group",
             "confidence": 0.1,
+            "concludedValue": "com.example",
             "methods": [
               {
                 "technique": "filename",
@@ -128,6 +129,7 @@
           {
             "field": "name",
             "confidence": 0.1,
+            "concludedValue": "example-project",
             "methods": [
               {
                 "technique": "filename",
@@ -139,6 +141,7 @@
           {
             "field": "version",
             "confidence": 0.1,
+            "concludedValue": "1.0.0",
             "methods": [
               {
                 "technique": "filename",

diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto
@@ -122,6 +122,7 @@ components [
               value: "example-project-1.0.0.jar"
             }
           ]
+          concludedValue: "com.example"
         },
         {
           field: EVIDENCE_FIELD_NAME
@@ -133,6 +134,7 @@ components [
               value: "example-project-1.0.0.jar"
             }
           ]
+          concludedValue: "example-project"
         },
         {
           field: EVIDENCE_FIELD_VERSION
@@ -144,6 +146,7 @@ components [
               value: "example-project-1.0.0.jar"
             }
           ]
+          concludedValue: "1.0.0"
         }
       ]
     }

diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.xml b/tools/src/test/resources/1.6/valid-evidence-1.6.xml
@@ -97,6 +97,7 @@
                 <identity>
                     <field>group</field>
                     <confidence>0.1</confidence>
+                    <concludedValue>com.example</concludedValue>
                     <methods>
                         <method>
                             <technique>filename</technique>
@@ -108,6 +109,7 @@
                 <identity>
                     <field>name</field>
                     <confidence>0.1</confidence>
+                    <concludedValue>example-project</concludedValue>
                     <methods>
                         <method>
                             <technique>filename</technique>
@@ -119,6 +121,7 @@
                 <identity>
                     <field>version</field>
                     <confidence>0.1</confidence>
+                    <concludedValue>1.0.0</concludedValue>
                     <methods>
                         <method>
                             <technique>filename</technique>