Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: make VulnerabilityReference arguments mandatory #790

Closed
indiVar0508 opened this issue Feb 23, 2025 · 5 comments · Fixed by #792 or #777
Closed

fix: make VulnerabilityReference arguments mandatory #790

indiVar0508 opened this issue Feb 23, 2025 · 5 comments · Fixed by #792 or #777
Assignees
@jkowalleck
Labels
breaking change bug Something isn't working help wanted Extra attention is needed
Milestone
9.0.0

Comments

@indiVar0508
Copy link
Contributor

indiVar0508 commented Feb 23, 2025
edited by jkowalleck
Loading

This issue is created from this thread re: #786 (comment)

It's been noticed that VulnerabilityReference class in implementation has defined the attributes id and source as optional
ref: https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/cyclonedx/model/vulnerability.py#L486...L497

but if we refer the documentation of cyclonedx

<bom:references      > [0..1] 
	Start Sequence [0..*] 
	<bom:reference            > [1] 
		<bom:id> xs:normalizedString </bom:id> [1] 
		<bom:source> bom:vulnerabilitySourceType </bom:source> [1] 
	</bom:reference> Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*] End Sequence 
</bom:references>

The refrences is optional but if a reference is defined id and source are mandatory, but current implementation treats these as optional
@indiVar0508 indiVar0508 mentioned this issue Feb 23, 2025
Merged
@jkowalleck

This comment has been minimized.

Sign in to view
@jkowalleck jkowalleck changed the title make VulnerabilityReference arguments are mandatory make VulnerabilityReference arguments mandatory Feb 25, 2025
@jkowalleck jkowalleck added enhancement New feature or request bug Something isn't working breaking change and removed enhancement New feature or request labels Feb 25, 2025
@jkowalleck jkowalleck changed the title make VulnerabilityReference arguments mandatory fix: make VulnerabilityReference arguments mandatory Feb 25, 2025
@jkowalleck jkowalleck added the help wanted Extra attention is needed label Feb 25, 2025
@jkowalleck jkowalleck added this to the 9.0.0 milestone Feb 25, 2025
@jkowalleck
Copy link
Member

this fix will alter public API, and is therefore considered breaking change.
this is not a stoper, just a remark.

@jkowalleck jkowalleck self-assigned this Feb 25, 2025
@jkowalleck
Copy link
Member

i'll be working on this

@jkowalleck
Copy link
Member

did some research.

since JSON schema was chosen as the dominant schema, the one that serves as first spec implementation,
and since XML schema was "fixed" to work same as JSON schema,
I'd consider it canon/spec that both properties were always mandatory.

@jkowalleck jkowalleck mentioned this issue Feb 25, 2025
Merged
jkowalleck added a commit that referenced this issue Feb 25, 2025
@jkowalleck
fix!: VulnerabilityReference all props mandatory (#792)
3f1ab92 
fixes #790

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck mentioned this issue Feb 25, 2025
Merged
jkowalleck added a commit that referenced this issue Feb 26, 2025
@jkowalleck @wkoot
feat!: 9.0.1 (#777)
e6f91fa 
### BREAKING Changes

* Fix: `model.vulnerability.VulnerabilityReference`'s properties are all
mandatory
([#790](#790)
via [#792](#792))
* Refactor: Rename `spdx.is_compund_expression` -> `spdx.is_expression`
([#779](#779))
* Behavior: `BomRef` affects comparison/hashing
([#754](#754) &
[#780](#780))
  This is only a breaking change if you relied on ordering of elements.
* Behavior: streamline comparison/hashing functions
([#755](#755))
  This is only a breaking change if you relied on ordering of elements.
* Dependency: bump dependency `py-serializable >=2 <3`, was `>=1.1.1 <2`
([#775](#775))
This is only a breaking change if you have other packages depend on that
specific version.

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: wkoot <3715211+wkoot@users.noreply.github.com>
Signed-off-by: semantic-release <semantic-release@bot.local>
Co-authored-by: wkoot <3715211+wkoot@users.noreply.github.com>
Co-authored-by: semantic-release <semantic-release@bot.local>
@jkowalleck
Copy link
Member

was released via https://github.com/CycloneDX/cyclonedx-python-lib/releases/tag/v9.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkowalleck jkowalleck

Labels
breaking change bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Milestone
9.0.0
2 participants
@jkowalleck @indiVar0508