Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add component.manufacture #372

Closed
wants to merge 5 commits into from
Closed

feat: add component.manufacture #372

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cffc004
feat: component manufacturer
jkowalleck Feb 8, 2024
ad0c37b
feat: component manufacturer
jkowalleck Feb 8, 2024
5e28d94
protobuff and examples
jkowalleck Feb 8, 2024
2f9cd0d
docs
jkowalleck Feb 8, 2024
7fb26b7
docs
jkowalleck Feb 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion schema/bom-1.6.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,8 @@ message Component {
optional ComponentData data = 26;
// Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.
optional CryptoProperties cryptoProperties = 27;
// The organization that manufactured the component (the "manufacturer", although the field is misspelled).
Copy link
Contributor

@mrutkows mrutkows Feb 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would recommend some qualification to the ack. of the misspelling (where it MUST be preserved for 1.x compatibility) to change from ", although the field is misspelled" to ", although the field name is acknowledged to be misspelled in this version.". To indicate/imply that it is left that way intentionally (for this version).

optional OrganizationalEntity manufacture = 28;
}

// Specifies the data flow.
Expand Down Expand Up @@ -444,7 +446,7 @@ message Metadata {
repeated OrganizationalContact authors = 3;
// The component that the BOM describes.
optional Component component = 4;
// The organization that manufactured the component that the BOM describes.
// The organization that manufactured the CycloneDX document (the "manufacturer", although the field is misspelled). This may be different from the manufacurer of the component that the CycloneDX document describes.
optional OrganizationalEntity manufacture = 5;
// The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
optional OrganizationalEntity supplier = 6;
Expand Down
9 changes: 7 additions & 2 deletions schema/bom-1.6.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -678,8 +678,8 @@
"$ref": "#/definitions/component"
},
"manufacture": {
"title": "Manufacture",
"description": "The organization that manufactured the component that the BOM describes.",
"title": "Manufacturer",
"description": "The organization that manufactured the CycloneDX document (the \"manufacturer\", although the property is misspelled).\nThis may be different from the manufacturer of the component that the CycloneDX document describes.",
Copy link
Member Author

@jkowalleck jkowalleck Feb 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❗ this would be a semantic change. technically this is a breaking change.
see also: #346 (comment)
related to #370

"$ref": "#/definitions/organizationalEntity"
},
"supplier": {
Expand Down Expand Up @@ -860,6 +860,11 @@
"title": "BOM Reference",
"description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
},
"manufacture": {
"title": "Manufacturer",
"description": "The organization that manufactured the component (the \"manufacturer\", although the property is misspelled).",
"$ref": "#/definitions/organizationalEntity"
},
"supplier": {
"title": "Component Supplier",
"description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.",
Expand Down
10 changes: 9 additions & 1 deletion schema/bom-1.6.xsd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,10 @@ limitations under the License.
</xs:element>
<xs:element name="manufacture" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>The organization that manufactured the component that the BOM describes.</xs:documentation>
<xs:documentation>
The organization that manufactured the CycloneDX document (the &quot;manufacturer&quot;, although the element is misspelled).
This may be different from the manufacturer of the component that the CycloneDX document describes.
</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="supplier" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1">
Expand Down Expand Up @@ -470,6 +473,11 @@ limitations under the License.

<xs:complexType name="component">
<xs:sequence>
<xs:element name="manufacture" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>The organization that manufactured the component (the &quot;manufacturer&quot;, although the element is misspelled).</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="supplier" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>The organization that supplied the component. The supplier may often
Expand Down
13 changes: 13 additions & 0 deletions tools/src/test/resources/1.6/valid-bom-1.6.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,19 @@
},
{
"type": "library",
"manufacture": {
"name": "ACME, Inc.",
"url": [
"https://acme.org/manufacturing"
],
"contact": [
{
"name": "ACME Manufacturing",
"email": "manufacturing@acme.org",
"phone": "800-555-13372"
}
]
},
"supplier": {
"name": "Example, Inc.",
"url": [
Expand Down
9 changes: 9 additions & 0 deletions tools/src/test/resources/1.6/valid-bom-1.6.textproto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,15 @@ components {
group: "org.example"
name: "mylibrary"
version: "1.0.0"
manufacture {
name: "Acme Inc."
url: "https://acme.org/manufacturing"
contact {
name: "ACME Manufacturing"
email: "manufacturing@acme.org"
phone: "800-555-13372"
}
}
}
dependencies {
ref: "pkg:npm/acme/component@1.0.0"
Expand Down
9 changes: 9 additions & 0 deletions tools/src/test/resources/1.6/valid-bom-1.6.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,15 @@
</pedigree>
</component>
<component type="library">
<manufacture>
<name>Acme Inc.</name>
<url>https://acme.org/manufacturing</url>
<contact>
<name>ACME Manufacturing</name>
<email>manufacturing@acme.org</email>
<phone>800-555-13372</phone>
</contact>
</manufacture>
<supplier>
<name>Example Inc.</name>
<url>https://example.com</url>
Expand Down