fix!: VulnerabilityReference all props mandatory (#792)

fixes #790

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

Diff for: cyclonedx/model/vulnerability.py

@@ -486,43 +486,46 @@ class VulnerabilityReference:
 
     .. note::
         See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilityType
+
+    .. note::
+        Properties ``id`` and ``source`` are mandatory.
+        In v1.4 JSON scheme, both properties were mandatory: https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.4.schema.json#L1455-L1474
+        In v1.4 XML schema, both properties were optional: https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.4.xsd#L1788-L1797
+        In v1.5 XML schema, both were mandatory: https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.5.xsd#L3364-L3374
+        Decision: since CycloneDXCoreWorkingGroup chose JSON schema as the dominant schema, the one that serves as first spec implementation, and since XML schema was "fixed" to work same as JSON schema, we'd consider it canon/spec that both properties were always mandatory.
     """
 
     def __init__(
         self, *,
-        id: Optional[str] = None,
-        source: Optional[VulnerabilitySource] = None,
+        id: str,
+        source: VulnerabilitySource,
     ) -> None:
-        if not id and not source:
-            raise NoPropertiesProvidedException(
-                'Either id or source must be provided for a VulnerabilityReference - neither provided'
-            )
         self.id = id
         self.source = source
 
     @property
     @serializable.xml_sequence(1)
     @serializable.xml_string(serializable.XmlStringSerializationType.NORMALIZED_STRING)
-    def id(self) -> Optional[str]:
+    def id(self) -> str:
         """
         The identifier that uniquely identifies the vulnerability in the associated Source. For example: CVE-2021-39182.
         """
         return self._id
 
     @id.setter
-    def id(self, id: Optional[str]) -> None:
+    def id(self, id: str) -> None:
         self._id = id
 
     @property
     @serializable.xml_sequence(2)
-    def source(self) -> Optional[VulnerabilitySource]:
+    def source(self) -> VulnerabilitySource:
         """
         The source that published the vulnerability.
         """
         return self._source
 
     @source.setter
-    def source(self, source: Optional[VulnerabilitySource]) -> None:
+    def source(self, source: VulnerabilitySource) -> None:
         self._source = source
 
     def __comparable_tuple(self) -> _ComparableTuple: