diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
index a25cf5d5..5e46f6c5 100644
--- a/schema/bom-1.6.schema.json
+++ b/schema/bom-1.6.schema.json
@@ -892,6 +892,12 @@
"title": "Component Version",
"description": "The component version. The version should ideally comply with semantic versioning but is not enforced."
},
+ "versionRange": {
+ "$ref": "#/definitions/versionRange",
+ "title": "Component Version Range",
+ "description": "The component version range that may be provided to fulfill this capability.\nMAY only occur if property `isExtraneous` is set to 'true'.",
+ "$comment": "a rule is taking cate of the plausibility between `version`/`versionRange` and `isExtraneous`=='true'"
+ },
"description": {
"type": "string",
"title": "Component Description",
@@ -913,6 +919,12 @@
"description": "Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.",
"default": "required"
},
+ "isExtraneous": {
+ "type": "boolean",
+ "title": "Component Is Extraneous",
+ "description": "Whether this component is extraneous.\nAn extraneous component is not part of an assembly, but are (expected to be) provided by the environment, regardless of the component's `scope`.",
+ "default": false
+ },
"hashes": {
"type": "array",
"title": "Component Hashes",
@@ -1037,7 +1049,19 @@
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
}
- }
+ },
+ "allOf": [
+ {
+ "$comment": "property `version` and `versionRange` MUST NOT exist at the same time.",
+ "not": { "required": ["version", "versionRange"] }
+ },
+ {
+ "$comment": "`version-range` MUST only be present, if `isExtraneous` is `true`",
+ "if": { "properties": { "isExtraneous": { "const": false } } },
+ "then": { "not": { "required": ["versionRange"] } },
+ "else": true
+ }
+ ]
},
"swid": {
"type": "object",
diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
index e500f8e8..4f510f51 100644
--- a/schema/bom-1.6.xsd
+++ b/schema/bom-1.6.xsd
@@ -500,12 +500,24 @@ limitations under the License.
of the component. Examples: commons-lang3 and jquery
-
-
- The component version. The version should ideally comply with semantic versioning
- but is not enforced.
-
-
+
+
+
+ The component version. The version should ideally comply with semantic versioning
+ but is not enforced.
+
+
+
+
+ The component version range that may be provided to fulfill this capability.
+ MAY only occur if attribute `isExtraneous` is set to `true`.
+
+
+
+
Specifies a description for the component
@@ -667,12 +679,27 @@ limitations under the License.
+
+
+
+ Whether this component is extraneous.
+ An extraneous component is not part of an assembly, but are (expected to be) provided by the environment, regardless of the component's `scope`.
+
+
+
User-defined attributes may be used on this element as long as they
do not have the same name as an existing attribute used by the schema.
+
diff --git a/tools/src/test/resources/1.6/informal-invalid-component-versionRange-non-extraneous-explicit.xml b/tools/src/test/resources/1.6/informal-invalid-component-versionRange-non-extraneous-explicit.xml
new file mode 100644
index 00000000..6a0c73fc
--- /dev/null
+++ b/tools/src/test/resources/1.6/informal-invalid-component-versionRange-non-extraneous-explicit.xml
@@ -0,0 +1,16 @@
+
+
+
+
+
+ InvalidVersions
+ =9.0.0|<10.0.0]]>
+ versionRange may only exist on extraneous components, set `isExtraneous` explicit
+
+
+
\ No newline at end of file
diff --git a/tools/src/test/resources/1.6/informal-invalid-component-versionRange-non-extraneous-implicit.xml b/tools/src/test/resources/1.6/informal-invalid-component-versionRange-non-extraneous-implicit.xml
new file mode 100644
index 00000000..7572e7f8
--- /dev/null
+++ b/tools/src/test/resources/1.6/informal-invalid-component-versionRange-non-extraneous-implicit.xml
@@ -0,0 +1,17 @@
+
+
+
+
+
+
+ InvalidVersions
+ =9.0.0|<10.0.0]]>
+ versionRange may only exist on extraneous components, set `isExtraneous` implicit by default value
+
+
+
\ No newline at end of file
diff --git a/tools/src/test/resources/1.6/invalid-component-version-and-range.json b/tools/src/test/resources/1.6/invalid-component-version-and-range.json
new file mode 100644
index 00000000..3c7c3925
--- /dev/null
+++ b/tools/src/test/resources/1.6/invalid-component-version-and-range.json
@@ -0,0 +1,15 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "components": [
+ {
+ "type": "library",
+ "name": "InvalidVersions",
+ "description": "may have `version` or `versionRange`, not both. This one does - it is invalid",
+ "version": "9.0.14",
+ "versionRange": ">=9.0.0|<10.0.0"
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.6/invalid-component-version-and-range.xml b/tools/src/test/resources/1.6/invalid-component-version-and-range.xml
new file mode 100644
index 00000000..354842a8
--- /dev/null
+++ b/tools/src/test/resources/1.6/invalid-component-version-and-range.xml
@@ -0,0 +1,13 @@
+
+
+
+
+ InvalidVersions
+ 9.0.14
+ =9.0.0|<10.0.0]]>
+ may have `version` or `versionRange`, not both. This one does - it is invalid
+
+
+
\ No newline at end of file
diff --git a/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-explicit.json b/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-explicit.json
new file mode 100644
index 00000000..6d24299d
--- /dev/null
+++ b/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-explicit.json
@@ -0,0 +1,15 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "components": [
+ {
+ "type": "library",
+ "name": "InvalidVersions",
+ "description": "versionRange may only exist on extraneous components, set `isExtraneous` explicit",
+ "isExtraneous": false,
+ "versionRange": ">=9.0.0|<10.0.0"
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-implicit.json b/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-implicit.json
new file mode 100644
index 00000000..d414cfb7
--- /dev/null
+++ b/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-implicit.json
@@ -0,0 +1,14 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "components": [
+ {
+ "type": "library",
+ "name": "InvalidVersions",
+ "description": "versionRange may only exist on extraneous components, set `isExtraneous` implicit by default value",
+ "versionRange": ">=9.0.0|<10.0.0"
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.6/valid-component-extraneous-no-version-information.json b/tools/src/test/resources/1.6/valid-component-extraneous-no-version-information.json
new file mode 100644
index 00000000..ab2e2c9c
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-component-extraneous-no-version-information.json
@@ -0,0 +1,14 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "components": [
+ {
+ "type": "library",
+ "name": "Foo",
+ "description": "extraneous without any version constraints",
+ "isExtraneous": true
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.6/valid-component-extraneous-no-version-information.xml b/tools/src/test/resources/1.6/valid-component-extraneous-no-version-information.xml
new file mode 100644
index 00000000..29c237e4
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-component-extraneous-no-version-information.xml
@@ -0,0 +1,11 @@
+
+
+
+
+ Foo
+ extraneous without any version constraints
+
+
+
\ No newline at end of file
diff --git a/tools/src/test/resources/1.6/valid-component-extraneous-with-version.json b/tools/src/test/resources/1.6/valid-component-extraneous-with-version.json
new file mode 100644
index 00000000..59f9bd5e
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-component-extraneous-with-version.json
@@ -0,0 +1,15 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "components": [
+ {
+ "type": "library",
+ "name": "Foo",
+ "description": "extraneous with version constraint",
+ "isExtraneous": true,
+ "version": "9.1.24"
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.6/valid-component-extraneous-with-version.xml b/tools/src/test/resources/1.6/valid-component-extraneous-with-version.xml
new file mode 100644
index 00000000..9b9a4a92
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-component-extraneous-with-version.xml
@@ -0,0 +1,12 @@
+
+
+
+
+ Foo
+ 9.1.24
+ extraneous with version constraint
+
+
+
\ No newline at end of file
diff --git a/tools/src/test/resources/1.6/valid-component-extraneous-with-versionRange.json b/tools/src/test/resources/1.6/valid-component-extraneous-with-versionRange.json
new file mode 100644
index 00000000..b180187e
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-component-extraneous-with-versionRange.json
@@ -0,0 +1,15 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "components": [
+ {
+ "type": "library",
+ "name": "Foo",
+ "description": "extraneous with version range constraints",
+ "isExtraneous": true,
+ "versionRange": ">=9.0.0|<10.0.0"
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.6/valid-component-extraneous-with-versionRange.xml b/tools/src/test/resources/1.6/valid-component-extraneous-with-versionRange.xml
new file mode 100644
index 00000000..886785f7
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-component-extraneous-with-versionRange.xml
@@ -0,0 +1,12 @@
+
+
+
+
+ Foo
+ =9.0.0|<10.0.0]]>
+ extraneous with version range constraints
+
+
+
\ No newline at end of file