From 4ca69c9cdf81356d7f114ceaa9fca15a7872c97c Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 8 Feb 2024 13:05:09 +0100 Subject: [PATCH 1/9] feat: devide metadata from its component - add `component.manufacturer` - add `component.authors` - deprecate `component.author` in favour of `component.authors` and `component.manufacturer` - deprecate `metatada.manufature` in favour of `metadata.component.manufacturer` - deprecate `metadata.supplier` in favour of `metadata.component.supplier` Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f607294d..3d5a6870 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -666,10 +666,16 @@ } ] }, + "manufacturer" :{ + "type": "array", + "title": "BOM Manufacturer", + "description": "The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '@.authors' instead.", + "items": {"$ref": "#/definitions/organizationalEntity"} + }, "authors" :{ "type": "array", - "title": "Authors", - "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.", + "title": "BOM Authors", + "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may have '@.manufacturer' instead.", "items": {"$ref": "#/definitions/organizationalContact"} }, "component": { @@ -678,13 +684,15 @@ "$ref": "#/definitions/component" }, "manufacture": { - "title": "Manufacture", - "description": "The organization that manufactured the component that the BOM describes.", + "deprecated": true, + "title": "Component Manufacture (legacy)", + "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. Use the `@.component.manufacturer` instead.\nThe organization that manufactured the component that the BOM describes.", "$ref": "#/definitions/organizationalEntity" }, "supplier": { - "title": "Supplier", - "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "deprecated": true, + "title": "Component Supplier (legacy)", + "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. Use `@.component.supplier` instead.\n The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", "$ref": "#/definitions/organizationalEntity" }, "licenses": { @@ -865,10 +873,22 @@ "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", "$ref": "#/definitions/organizationalEntity" }, + "manufacturer": { + "title": "Component Manufacturer", + "description": "The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", + "$ref": "#/definitions/organizationalEntity" + }, + "authors" :{ + "type": "array", + "title": "Component Authors", + "description": "The person(s) who created the component. Authors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, "author": { + "deprecated": true, "type": "string", - "title": "Component Author", - "description": "The person(s) or organization(s) that authored the component", + "title": "Component Author (legacy)", + "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. Use `@.authors` or `@.manufacturer` instead.\nThe person(s) or organization(s) that authored the component", "examples": ["Acme Inc"] }, "publisher": { From cbd6265ee5ee7b9f5f79a5fc7908e47c0965e8b1 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 15 Feb 2024 09:10:59 +0100 Subject: [PATCH 2/9] revert proposed changes on `metadata.supplier` Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 3d5a6870..6d0ec757 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -690,9 +690,8 @@ "$ref": "#/definitions/organizationalEntity" }, "supplier": { - "deprecated": true, - "title": "Component Supplier (legacy)", - "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. Use `@.component.supplier` instead.\n The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", "$ref": "#/definitions/organizationalEntity" }, "licenses": { From 702653c10db93e92cc0c0827d53cefce20575b74 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 22:08:41 +0100 Subject: [PATCH 3/9] sam fix indended JSON data structures Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index dde75787..ecde89aa 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -666,13 +666,12 @@ } ] }, - "manufacturer" :{ - "type": "array", + "manufacturer": { "title": "BOM Manufacturer", "description": "The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '@.authors' instead.", - "items": {"$ref": "#/definitions/organizationalEntity"} + "$ref": "#/definitions/organizationalEntity" }, - "authors" :{ + "authors": { "type": "array", "title": "BOM Authors", "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may have '@.manufacturer' instead.", From 4cc4e14d92a0f3caaf465b9059024fdb679f7283 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 22:09:00 +0100 Subject: [PATCH 4/9] add JSON test data Signed-off-by: Jan Kowalleck --- .../src/test/resources/1.6/valid-bom-1.6.json | 26 +++++++++++++++++-- .../1.6/valid-metadata-manufacture-1.6.json | 2 +- .../1.6/valid-metadata-manufacturer-1.6.json | 23 ++++++++++++++++ 3 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.json diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.json b/tools/src/test/resources/1.6/valid-bom-1.6.json index 994f726f..23482e78 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.json +++ b/tools/src/test/resources/1.6/valid-bom-1.6.json @@ -45,7 +45,7 @@ } } }, - "manufacture": { + "manufacturer": { "name": "Acme, Inc.", "url": [ "https://example.com" @@ -74,6 +74,7 @@ { "bom-ref": "pkg:npm/acme/component@1.0.0", "type": "library", + "author": "Joane DOe et al.", "publisher": "Acme Inc", "group": "com.acme", "name": "tomcat-catalina", @@ -160,7 +161,28 @@ } ] }, - "author": "Example Super Heros", + "manufacturer": { + "name": "Example-2, Inc.", + "url": [ + "https://example.org" + ], + "contact": [ + { + "email": "support@example.org" + } + ] + }, + "authors": [ + { + "name": "Anthony Edward Stark", + "phone": "555-212-970-4133", + "email": "ironman@example.org" + }, + { + "name": "Peter Benjamin Parker", + "email": "spiderman@example.org" + } + ], "group": "org.example", "name": "mylibrary", "version": "1.0.0" diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json index 26b1c8b4..bee88561 100644 --- a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json +++ b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json @@ -6,7 +6,7 @@ "metadata": { "manufacture": { "bom-ref": "manufacturer-1", - "name": "Acme, Inc.", + "name": "Acme, Inc. // deprecated", "url": [ "https://example.com" ], diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.json b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.json new file mode 100644 index 00000000..7fc82b90 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.json @@ -0,0 +1,23 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "manufacturer": { + "bom-ref": "manufacturer-1", + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "bom-ref": "contact-1", + "name": "Acme Professional Services", + "email": "professional.services@example.com" + } + ] + } + }, + "components": [] +} From 5639eef48b2284f756d6d729f18cc8a6bee6497f Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 22:09:55 +0100 Subject: [PATCH 5/9] fix typo Signed-off-by: Jan Kowalleck --- tools/src/test/resources/1.6/valid-bom-1.6.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.json b/tools/src/test/resources/1.6/valid-bom-1.6.json index 23482e78..f077c793 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.json +++ b/tools/src/test/resources/1.6/valid-bom-1.6.json @@ -74,7 +74,7 @@ { "bom-ref": "pkg:npm/acme/component@1.0.0", "type": "library", - "author": "Joane DOe et al.", + "author": "Joane Doe et al.", "publisher": "Acme Inc", "group": "com.acme", "name": "tomcat-catalina", From cd1fbe9f29873616ec0acc7a491f62ea06a50654 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 23:21:07 +0100 Subject: [PATCH 6/9] xml Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 8 ++-- schema/bom-1.6.xsd | 45 +++++++++++++++++-- .../src/test/resources/1.6/valid-bom-1.6.xml | 25 +++++++++-- .../1.6/valid-metadata-manufacture-1.6.xml | 2 +- .../1.6/valid-metadata-manufacturer-1.6.xml | 14 ++++++ 5 files changed, 81 insertions(+), 13 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.xml diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index ecde89aa..ae5d0083 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -668,13 +668,13 @@ }, "manufacturer": { "title": "BOM Manufacturer", - "description": "The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '@.authors' instead.", + "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '@.authors' instead.", "$ref": "#/definitions/organizationalEntity" }, "authors": { "type": "array", "title": "BOM Authors", - "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may have '@.manufacturer' instead.", + "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have '@.manufacturer' instead.", "items": {"$ref": "#/definitions/organizationalContact"} }, "component": { @@ -874,13 +874,13 @@ }, "manufacturer": { "title": "Component Manufacturer", - "description": "The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", + "description": "The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", "$ref": "#/definitions/organizationalEntity" }, "authors" :{ "type": "array", "title": "Component Authors", - "description": "The person(s) who created the component. Authors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", + "description": "The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", "items": {"$ref": "#/definitions/organizationalContact"} }, "author": { diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 1df0505c..ba049e36 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -198,8 +198,10 @@ limitations under the License. - The person(s) who created the BOM. Authors are common in BOMs created through - manual processes. BOMs created through automated means may not have authors. + + The person(s) who created the BOM. + Authors are common in BOMs created through manual processes. BOMs created through automated means may have './manufacturer' instead. + @@ -212,9 +214,20 @@ limitations under the License. The component that the BOM describes. + + + + The organization that created the BOM. + Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have './authors' instead. + + + - The organization that manufactured the component that the BOM describes. + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the `./component/manufacturer` instead. + The organization that manufactured the component that the BOM describes. + @@ -483,9 +496,33 @@ limitations under the License. be the manufacturer, but may also be a distributor or repackager. + + + + The organization that created the component. + Manufacturer is common in components created through automated processes. Components created through manual means may have './authors' instead. + + + + + + + The person(s) who created the component. + Authors are common in components created through manual processes. Components created through automated means may have `./manufacturer` instead. + + + + + + + + - The person(s) or organization(s) that authored the component + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./authors` or `./manufacturer` instead. + The person(s) or organization(s) that authored the component. + diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.xml b/tools/src/test/resources/1.6/valid-bom-1.6.xml index fc1904d3..6760b9da 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.xml +++ b/tools/src/test/resources/1.6/valid-bom-1.6.xml @@ -28,14 +28,14 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg== - + Acme, Inc. https://example.com Acme Professional Services professional.services@example.com - + Acme, Inc. https://example.com @@ -47,7 +47,7 @@ - Acme Super Heros + Joane Doe et al. Acme Inc com.acme tomcat-catalina @@ -120,7 +120,24 @@ support@apac.example.com - Example Super Heros + + Example-2, Inc.Example-2, Inc. + https://example.org + + support@example.org + + + + + Anthony Edward Stark + ironman@example.org + 555-212-970-4133 + + + Peter Benjamin Parker + spiderman@example.org + + org.example mylibrary 1.0.0 diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml index d7559699..78ea7e22 100644 --- a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml +++ b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml @@ -2,7 +2,7 @@ - Acme, Inc. + Acme, Inc. // deprecated https://example.com Acme Professional Services diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.xml new file mode 100644 index 00000000..94a536cc --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.xml @@ -0,0 +1,14 @@ + + + + + Acme, Inc. + https://example.com + + Acme Professional Services + professional.services@example.com + + + + + From c8f97ce1df3c6494680fcd82c6b54339d099fcba Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 23:34:28 +0100 Subject: [PATCH 7/9] protobuf Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 16 +++++++++++----- .../test/resources/1.6/valid-bom-1.6.textproto | 12 ++++++------ .../1.6/valid-metadata-manufacture-1.6.textproto | 2 +- .../valid-metadata-manufacturer-1.6.textproto | 15 +++++++++++++++ 4 files changed, 33 insertions(+), 12 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.textproto diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index d1a02573..8e802f4a 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -97,8 +97,8 @@ message Component { optional string bom_ref = 3; // The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 4; - // The person(s) or organization(s) that authored the component - optional string author = 5; + // This will be removed in a future version. Use `.authors` or `.manufacturer` instead. The person(s) or organization(s) that authored the component + optional string author = 5 [deprecated = true]; // The person(s) or organization(s) that published the component optional string publisher = 6; // The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org. @@ -141,6 +141,10 @@ message Component { optional ComponentData data = 26; // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. optional CryptoProperties cryptoProperties = 27; + // The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `.authors` instead. + optional OrganizationalEntity manufacturer = 28; + // The person(s) who created the component. Authors are common in components created through manual processes. Components created through automated means may have `.manufacturer` instead. + repeated OrganizationalContact authors = 29; } // Specifies the data flow. @@ -440,12 +444,12 @@ message Metadata { optional google.protobuf.Timestamp timestamp = 1; // The tool(s) used in the creation of the BOM. optional Tool tools = 2; - // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors. + // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may have '.manufacturer' instead. repeated OrganizationalContact authors = 3; // The component that the BOM describes. optional Component component = 4; - // The organization that manufactured the component that the BOM describes. - optional OrganizationalEntity manufacture = 5; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Use the `.component.manufacturer` instead. The organization that manufactured the component that the BOM describes. + optional OrganizationalEntity manufacture = 5 [deprecated = true]; // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 6; // The license information for the BOM document. This may be different from the license(s) of the component that the BOM describes. @@ -454,6 +458,8 @@ message Metadata { repeated Property properties = 8; // The product lifecycle(s) that this BOM represents. repeated Lifecycles lifecycles = 9; + // The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead. + optional OrganizationalEntity manufacturer = 10; } message Lifecycles { diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.textproto b/tools/src/test/resources/1.6/valid-bom-1.6.textproto index 3e81e348..97903a05 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-bom-1.6.textproto @@ -40,20 +40,20 @@ metadata { } } } - manufacture { + supplier { name: "Acme, Inc." url: "https://example.com" contact { - name: "Acme Professional Services" - email: "professional.services@example.com" + name: "Acme Distribution" + email: "distribution@example.com" } } - supplier { + manufacturer { name: "Acme, Inc." url: "https://example.com" contact { - name: "Acme Distribution" - email: "distribution@example.com" + name: "Acme Professional Services" + email: "professional.services@example.com" } } } diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto index 0ad3c0b8..d5bc8f1b 100644 --- a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto @@ -3,7 +3,7 @@ version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" metadata { manufacture { - name: "Acme, Inc." + name: "Acme, Inc. // deprecated" url: "https://example.com" contact { name: "Acme Professional Services" diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.textproto new file mode 100644 index 00000000..00b1fcd7 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.textproto @@ -0,0 +1,15 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + manufacturer { + name: "Acme, Inc." + url: "https://example.com" + contact { + name: "Acme Professional Services" + email: "professional.services@example.com" + bom_ref: "contact-1" + } + bom_ref: "manufacturer-1" + } +} From 8b0f6e66f15966694e7878e22762e4f46aa58b87 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 23:38:07 +0100 Subject: [PATCH 8/9] typo Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 8e802f4a..32b5bfc3 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -97,7 +97,7 @@ message Component { optional string bom_ref = 3; // The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 4; - // This will be removed in a future version. Use `.authors` or `.manufacturer` instead. The person(s) or organization(s) that authored the component + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.authors` or `.manufacturer` instead. The person(s) or organization(s) that authored the component optional string author = 5 [deprecated = true]; // The person(s) or organization(s) that published the component optional string publisher = 6; @@ -448,7 +448,7 @@ message Metadata { repeated OrganizationalContact authors = 3; // The component that the BOM describes. optional Component component = 4; - // DEPRECATED - DO NOT USE. This will be removed in a future version. Use the `.component.manufacturer` instead. The organization that manufactured the component that the BOM describes. + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use the `.component.manufacturer` instead. The organization that manufactured the component that the BOM describes. optional OrganizationalEntity manufacture = 5 [deprecated = true]; // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 6; From b31cdb1b5c6477073959686517ffe2f6eb0f1d33 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 21 Feb 2024 00:15:25 +0100 Subject: [PATCH 9/9] protobuff test case Signed-off-by: Jan Kowalleck --- .../test/resources/1.6/valid-bom-1.6.textproto | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.textproto b/tools/src/test/resources/1.6/valid-bom-1.6.textproto index 97903a05..b1009915 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-bom-1.6.textproto @@ -60,6 +60,7 @@ metadata { components { type: CLASSIFICATION_LIBRARY bom_ref: "pkg:npm/acme/component@1.0.0" + author: "Joane Doe et al." publisher: "Acme Inc" group: "com.acme" name: "tomcat-catalina" @@ -141,6 +142,22 @@ components { group: "org.example" name: "mylibrary" version: "1.0.0" + manufacturer { + name: "Example-2, Inc." + url: "https://example.org" + contact { + email: "support@example.org" + } + } + authors { + name: "Anthony Edward Stark" + email: "ironman@example.org" + phone: "555-212-970-4133" + } + authors { + name: "Peter Benjamin Parker" + email: "spiderman@example.org" + } } dependencies { ref: "pkg:npm/acme/component@1.0.0"