Added expressions - JSONPath and XPath as an alternative to JSON Pointer. Updated formulation description. Updated test cases.

Signed-off-by: Steve Springett <steve@springett.us>

Author: stevespringett

schema/bom-1.7.proto

@@ -37,7 +37,7 @@ message Bom {
   repeated Annotation annotations = 11;
   // Specifies optional, custom, properties
   repeated Property properties = 12;
-  // Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process.
+  // Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps.
   repeated Formula formulation = 13;
   // The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.
   repeated Declarations declarations = 14;
@@ -315,7 +315,7 @@ enum ExternalReferenceType {
   EXTERNAL_REFERENCE_TYPE_CONFIGURATION = 35;
   // Information used to substantiate a claim.
   EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36;
-  // Describes how a component or service was manufactured or deployed.
+  // Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.
   EXTERNAL_REFERENCE_TYPE_FORMULATION = 37;
   // The location where the source code distributable can be obtained. This is often an archive format such as zip or tar.gz. The source-distribution type complements the use of the version control (vcs) type.
   EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION = 38;
@@ -2624,12 +2624,14 @@ message Citation {
   optional string bom_ref = 1;
   // One or more JSON Pointers(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.
   repeated string pointer = 2;
+  // Specifies a path expression used to locate a value within a BOM. The expression syntax shall conform to the format of the BOM's serialisation. Use [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) for JSON, [XPath](https://www.w3.org/TR/xpath/) for XML, and default to JSONPath for Protocol Buffers unless otherwise specified. Implementers shall ensure the expression is valid within the context of the applicable serialisation format. Use either "pointer" or "expression" but not both in this object.
+  repeated string expression = 3;
   // Timestamp when the attribution was made or the information was supplied.
-  google.protobuf.Timestamp timestamp = 3;
+  google.protobuf.Timestamp timestamp = 4;
   // The `bom-ref` of an object, such as a component, service, organisational entity, or person that supplied the cited information.
-  optional string attributed_to = 4;
+  optional string attributed_to = 5;
   // An optional `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data. At least one of the "attributedTo" or "process" elements must be present.
-  optional string process = 5;
+  optional string process = 6;
   // An optional description or comment about the context or quality of the data attribution. At least one of the "attributedTo" or "process" elements must be present.
-  optional string note = 6;
+  optional string note = 7;
 }

schema/bom-1.7.schema.json

@@ -100,7 +100,7 @@
       "items": {"$ref": "#/definitions/formula"},
       "uniqueItems": true,
       "title": "Formulation",
-      "description": "Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process."
+      "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."
     },
     "declarations": {
       "type": "object",
@@ -1932,7 +1932,7 @@
             "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.",
             "configuration": "Parameters or settings that may be used by other components or services.",
             "evidence": "Information used to substantiate a claim.",
-            "formulation": "Describes how a component or service was manufactured or deployed.",
+            "formulation": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.",
             "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.",
             "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.",
             "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.",
@@ -6140,6 +6140,17 @@
           "title": "Field References",
           "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies."
         },
+        "expressions": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "title": "Path Expression",
+            "description": "Specifies a path expression used to locate a value within a BOM. The expression syntax shall conform to the format of the BOM's serialisation. Use [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) for JSON, [XPath](https://www.w3.org/TR/xpath/) for XML, and default to JSONPath for Protocol Buffers unless otherwise specified. Implementers shall ensure the expression is valid within the context of the applicable serialisation format."
+          },
+          "minItems": 1,
+          "title": "Path Expressions",
+          "description": "One or more path expressions used to locate values within a BOM."
+        },
         "timestamp": {
           "type": "string",
           "format": "date-time",
@@ -6162,10 +6173,14 @@
           "description": "An optional digital signature verifying the authenticity or integrity of the attribution."
         }
       },
-      "required": ["pointers", "timestamp"],
+      "required": ["timestamp"],
       "anyOf": [
         { "required": ["attributedTo"] },
         { "required": ["process"] }
+      ],
+      "oneOf": [
+        { "required": ["pointers"] },
+        { "required": ["expressions"] }
       ]
     }
   }

schema/bom-1.7.xsd

@@ -1669,7 +1669,7 @@ limitations under the License.
             </xs:enumeration>
             <xs:enumeration value="formulation">
                 <xs:annotation>
-                    <xs:documentation>Describes how a component or service was manufactured or deployed.</xs:documentation>
+                    <xs:documentation>Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="attestation">
@@ -5218,9 +5218,13 @@ limitations under the License.
     <xs:complexType name="formulationType">
         <xs:annotation>
             <xs:documentation>
-                Describes how a component or service was manufactured or deployed. This is achieved through the use
-                of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the
-                observed formulas describing the steps which transpired in the manufacturing process.
+                Describes the formulation of any referencable object within the BOM,
+                including components, services, metadata, declarations, or the BOM itself. This may
+                encompass how the object was created, assembled, deployed, tested, certified, or otherwise
+                brought into its present form. Common examples include software build pipelines,
+                deployment processes, AI/ML model training, cryptographic key generation or certification,
+                and third-party audits. Processes are modeled using declared and observed formulas,
+                composed of workflows, tasks, and individual steps.
             </xs:documentation>
         </xs:annotation>
         <xs:sequence minOccurs="0" maxOccurs="unbounded">
@@ -8880,24 +8884,44 @@ limitations under the License.
             </xs:documentation>
         </xs:annotation>
         <xs:sequence>
-            <xs:element name="pointers" minOccurs="1" maxOccurs="1">
-                <xs:annotation>
-                    <xs:documentation>
-                        One or more JSON Pointers(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.
-                    </xs:documentation>
-                </xs:annotation>
-                <xs:complexType>
-                    <xs:sequence>
-                        <xs:element name="pointer" type="xs:string" minOccurs="1" maxOccurs="unbounded">
-                            <xs:annotation>
-                                <xs:documentation>
-                                    A JSON Pointer(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies. Users of other serialisation formats (e.g. XML) shall use the JSON Pointer format to ensure consistent field referencing across representations.
-                                </xs:documentation>
-                            </xs:annotation>
-                        </xs:element>
-                    </xs:sequence>
-                </xs:complexType>
-            </xs:element>
+            <xs:choice>
+                <xs:element name="pointers" minOccurs="1" maxOccurs="1">
+                    <xs:annotation>
+                        <xs:documentation>
+                            One or more JSON Pointers(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.
+                        </xs:documentation>
+                    </xs:annotation>
+                    <xs:complexType>
+                        <xs:sequence>
+                            <xs:element name="pointer" type="xs:string" minOccurs="1" maxOccurs="unbounded">
+                                <xs:annotation>
+                                    <xs:documentation>
+                                        A JSON Pointer(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies. Users of other serialisation formats (e.g. XML) shall use the JSON Pointer format to ensure consistent field referencing across representations.
+                                    </xs:documentation>
+                                </xs:annotation>
+                            </xs:element>
+                        </xs:sequence>
+                    </xs:complexType>
+                </xs:element>
+                <xs:element name="expressions" minOccurs="1" maxOccurs="1">
+                    <xs:annotation>
+                        <xs:documentation>
+                            One or more path expressions used to locate values within a BOM.
+                        </xs:documentation>
+                    </xs:annotation>
+                    <xs:complexType>
+                        <xs:sequence>
+                            <xs:element name="expression" type="xs:string" minOccurs="1" maxOccurs="unbounded">
+                                <xs:annotation>
+                                    <xs:documentation>
+                                        Specifies a path expression used to locate a value within a BOM. The expression syntax shall conform to the format of the BOM's serialisation. Use [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) for JSON, [XPath](https://www.w3.org/TR/xpath/) for XML, and default to JSONPath for Protocol Buffers unless otherwise specified. Implementers shall ensure the expression is valid within the context of the applicable serialisation format.
+                                    </xs:documentation>
+                                </xs:annotation>
+                            </xs:element>
+                        </xs:sequence>
+                    </xs:complexType>
+                </xs:element>
+            </xs:choice>
             <xs:element name="timestamp" type="xs:dateTime" minOccurs="1" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>
@@ -9020,10 +9044,13 @@ limitations under the License.
                 </xs:element>
                 <xs:element name="formulation" type="bom:formulationType" minOccurs="0" maxOccurs="1">
                     <xs:annotation>
-                        <xs:documentation>Describes how a component or service was manufactured or deployed. This is
-                            achieved through the use of formulas, workflows, tasks, and steps, which declare the precise
-                            steps to reproduce along with the observed formulas describing the steps which transpired
-                            in the manufacturing process.</xs:documentation>
+                        <xs:documentation>Describes the formulation of any referencable object within the BOM,
+                            including components, services, metadata, declarations, or the BOM itself. This may
+                            encompass how the object was created, assembled, deployed, tested, certified, or otherwise
+                            brought into its present form. Common examples include software build pipelines,
+                            deployment processes, AI/ML model training, cryptographic key generation or certification,
+                            and third-party audits. Processes are modeled using declared and observed formulas,
+                            composed of workflows, tasks, and individual steps.</xs:documentation>
                     </xs:annotation>
                 </xs:element>
                 <xs:element name="declarations" type="bom:declarationsType" minOccurs="0" maxOccurs="1">

tools/src/test/resources/1.7/invalid-citations-1.7.json

@@ -28,6 +28,13 @@
       "pointers": [ "/components/0/name" ],
       "timestamp": "2025-05-01T14:00:00Z",
       "note": "Should have at least one of the following property sets: property 'attributedTo' or property 'process'"
+    },
+    {
+      "bom-ref": "citation-1",
+      "pointers": [ "/components/0/name" ],
+      "expressions": [ "expression here" ],
+      "timestamp": "2025-05-01T14:00:00Z",
+      "note": "Should not have both a pointer and expression."
     }
   ]
 }

tools/src/test/resources/1.7/invalid-citations-1.7.xml

@@ -84,5 +84,16 @@
             <process>task-license-scan-2</process>
             <note>Should have at max one 'process'</note>
         </citation>
+        <citation bom-ref="citation-4">
+            <pointers>
+                <pointer>/components/0/licenses/0/license/id</pointer>
+            </pointers>
+            <expressions>
+                <expression>expression here</expression>
+            </expressions>
+            <timestamp>2025-05-01T14:05:00Z</timestamp>
+            <process>task-license-scan</process>
+            <note>Should not have both a pointer and expression.</note>
+        </citation>
     </citations>
 </bom>

tools/src/test/resources/1.7/valid-citations-1.7.json

@@ -46,7 +46,7 @@
     },
     {
       "bom-ref": "citation-3",
-      "pointers": [ "/components/0/licenses/0/license/id" ],
+      "expressions": [ "$.components[*].licenses[*].license.id" ],
       "timestamp": "2025-05-01T14:05:00Z",
       "attributedTo": "scan-tool-1",
       "process": "task-license-scan",

tools/src/test/resources/1.7/valid-citations-1.7.textproto

@@ -52,7 +52,7 @@ citations [
   },
   {
     bom_ref: "citation-3"
-    pointer: "/components/0/licenses/0/license/id"
+    expression: "$.components[*].licenses[*].license.id"
     timestamp: {
       seconds: 1746108000
       nanos: 0

tools/src/test/resources/1.7/valid-citations-1.7.xml

@@ -67,9 +67,9 @@
             <note>Semi-manually entered by Alice Example - with `process`</note>
         </citation>
         <citation bom-ref="citation-3">
-            <pointers>
-                <pointer>/components/0/licenses/0/license/id</pointer>
-            </pointers>
+            <expressions>
+                <expression>/components/component/licenses/license/id</expression>
+            </expressions>
             <timestamp>2025-05-01T14:05:00Z</timestamp>
             <attributedTo>scan-tool-1</attributedTo>
             <process>task-license-scan</process>