CycloneDX
Schema for Properties
It would be really nice to be able to provide an internal schema specification for the Properties Array, and validate that the properties conform to expected patterns.
Issue: The properties object key - value pairing is both awesome, flexible, and remarkably frustrating. The ability to provide a schema that enforces some conformity would be extremely helpful.
Outcome Goal:
- Validate properties against a separate well defined schema (json)
According to https://github.com/CycloneDX/specification/blob/master/schema/bom-1.4.xsd#L90-L98 there is an index of defined/known properties and prefixes: https://github.com/CycloneDX/cyclonedx-property-taxonomy
<xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>Provides the ability to document properties in a key/value store.
This provides flexibility to include data not officially supported in the standard
without having to use additional namespaces or create extensions. Property names
of interest to the general public are encouraged to be registered in the
CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
Formal registration is OPTIONAL.</xs:documentation>
</xs:annotation>
</xs:element>
Currently there is no format/schema defined for the property-key.
Adding a format/schema restriction would be a breaking change for me, because it might require me to change already used keys, if they are not conform to the newly introduced format/schema.
According to https://github.com/CycloneDX/specification/blob/master/schema/bom-1.4.xsd#L90-L98 there is an index of defined/known properties and prefixes: https://github.com/CycloneDX/cyclonedx-property-taxonomy
<xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> <xs:annotation> <xs:documentation>Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.</xs:documentation> </xs:annotation> </xs:element>Currently there is no format/schema defined for the property-key.
Adding a format/schema restriction would be a breaking change for me, because it might require me to change already used keys, if they are not conform to the newly introduced format/schema.
@jkowalleck I'm not looking for CycloneDX Schema it self to enforce the structure, I want CycloneDX Schema to ALLOW a user to identify a schema to validate against the properties. If you want KV Pairs without a schema, then don't use one, but I need to be able to validate that additional fields exist and conform to a specification.
This shouldn't be a breaking change and should be the ABILITY to enforce.
The core team has discussed the ability to have a JSON file that describes the property taxonomy (in addition to the existing readme). The root taxonomy JSON file could the specify organization-specific JSON files containing enums of property names.
This work could be implemented independent of the core spec. But we have not yet defined what this would look like, only that it could be done. We've also discussed using DNS to help resolve the schemas at an organizational level as well.
