From 68f33407966dc985c6d0ff3094343689d98512ee Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Sun, 22 Oct 2023 17:22:34 +0200
Subject: [PATCH] draft: JSON - extraneous comp and version range

related to https://github.com/CycloneDX/specification/issues/321 #321

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 schema/bom-1.6.schema.json                    | 23 ++++++++++++++++++-
 .../invalid-component-version-and-range.json  | 15 ++++++++++++
 ...-versionRange-non-extraneous-explicit.json | 15 ++++++++++++
 ...-versionRange-non-extraneous-implicit.json | 14 +++++++++++
 ...ent-extraneous-no-version-information.json | 14 +++++++++++
 ...lid-component-extraneous-with-version.json | 15 ++++++++++++
 ...omponent-extraneous-with-versionRange.json | 15 ++++++++++++
 7 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 tools/src/test/resources/1.6/invalid-component-version-and-range.json
 create mode 100644 tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-explicit.json
 create mode 100644 tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-implicit.json
 create mode 100644 tools/src/test/resources/1.6/valid-component-extraneous-no-version-information.json
 create mode 100644 tools/src/test/resources/1.6/valid-component-extraneous-with-version.json
 create mode 100644 tools/src/test/resources/1.6/valid-component-extraneous-with-versionRange.json

diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
index dc93c21f..eeb175d1 100644
--- a/schema/bom-1.6.schema.json
+++ b/schema/bom-1.6.schema.json
@@ -461,6 +461,10 @@
           "title": "Component Version",
           "description": "The component version. The version should ideally comply with semantic versioning but is not enforced."
         },
+        "versionRange": {
+          "$ref": "#/definitions/versionRange",
+          "title": "Component Version Range"
+        },
         "description": {
           "type": "string",
           "title": "Component Description",
@@ -477,6 +481,12 @@
           "description": "Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.",
           "default": "required"
         },
+        "isExtraneous": {
+          "type": "boolean",
+          "title": "Component Is Extraneous",
+          "description": "Whether this component is extraneous.\nAn extraneous component is not part of an assembly, but are (expected to be) provided by the environment, regardless of the component's `scope`.",
+          "default": false
+        },
         "hashes": {
           "type": "array",
           "title": "Component Hashes",
@@ -601,7 +611,18 @@
           "title": "Signature",
           "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
         }
-      }
+      },
+      "allOf": [
+        {
+          "$comment": "property `version` and `versionRange` MUST NOT exist at the same time.",
+          "not": { "required": ["version", "versionRange"] }
+        },
+        {
+          "$comment": "`version-range` MUST only be present, if `isExtraneous` is `true`",
+          "if": { "properties": { "isExtraneous": { "const": false } } },
+          "then": { "not": { "required": ["versionRange"] } }
+        }
+      ]
     },
     "swid": {
       "type": "object",
diff --git a/tools/src/test/resources/1.6/invalid-component-version-and-range.json b/tools/src/test/resources/1.6/invalid-component-version-and-range.json
new file mode 100644
index 00000000..3c7c3925
--- /dev/null
+++ b/tools/src/test/resources/1.6/invalid-component-version-and-range.json
@@ -0,0 +1,15 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "InvalidVersions",
+      "description": "may have `version` or `versionRange`, not both. This one does - it is invalid",
+      "version": "9.0.14",
+      "versionRange": ">=9.0.0|<10.0.0"
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-explicit.json b/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-explicit.json
new file mode 100644
index 00000000..6d24299d
--- /dev/null
+++ b/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-explicit.json
@@ -0,0 +1,15 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "InvalidVersions",
+      "description": "versionRange may only exist on extraneous components, set `isExtraneous` explicit",
+      "isExtraneous": false,
+      "versionRange": ">=9.0.0|<10.0.0"
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-implicit.json b/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-implicit.json
new file mode 100644
index 00000000..d414cfb7
--- /dev/null
+++ b/tools/src/test/resources/1.6/invalid-component-versionRange-non-extraneous-implicit.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "InvalidVersions",
+      "description": "versionRange may only exist on extraneous components, set `isExtraneous` implicit by default value",
+      "versionRange": ">=9.0.0|<10.0.0"
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.6/valid-component-extraneous-no-version-information.json b/tools/src/test/resources/1.6/valid-component-extraneous-no-version-information.json
new file mode 100644
index 00000000..ab2e2c9c
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-component-extraneous-no-version-information.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "Foo",
+      "description": "extraneous without any version constraints",
+      "isExtraneous": true
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.6/valid-component-extraneous-with-version.json b/tools/src/test/resources/1.6/valid-component-extraneous-with-version.json
new file mode 100644
index 00000000..59f9bd5e
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-component-extraneous-with-version.json
@@ -0,0 +1,15 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "Foo",
+      "description": "extraneous with version constraint",
+      "isExtraneous": true,
+      "version": "9.1.24"
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.6/valid-component-extraneous-with-versionRange.json b/tools/src/test/resources/1.6/valid-component-extraneous-with-versionRange.json
new file mode 100644
index 00000000..b180187e
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-component-extraneous-with-versionRange.json
@@ -0,0 +1,15 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "Foo",
+      "description": "extraneous with version range constraints",
+      "isExtraneous": true,
+      "versionRange": ">=9.0.0|<10.0.0"
+    }
+  ]
+}