New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xml/json 1.5 spec differences? #456
Comments
JSON and XML do have different scopes and capabilities - technical wise. They are not the same, and therefore they have different capabilities and different solutions to the same problem. I tried to understand your concerns, but was not able to process your remarks and find any entry-point. Do you need further documentation? Do you want to propose an improvement? I don't understand. |
Thanks, as stated:
The simple answer of "yes they are different" is worrisome from the perspective of an implementer since we were under the impression this is one standard but from a technical point of view this requires the modeling and validation of two different ones without any apparent reason. This is even more unexpected when what's modeled in XML is clearly achievable in Json as well but it's simply not done this way. Let's begin with this specific discrepancy. Why is the dependency modeled differently in XML and Json when there is no limitation coming from the Json schema requiring this. Is this decision documented somewhere? |
This is still true. CycloneDX is a standard. |
Comparing the two specification I've found a couple differences.
json definitions
Last one is about
Dependency
in json it is defined as having two properties:
ref
anddependsOn
, the first arefLinkType
, second one a list ofrefLinkType
where
refLinkType
is defined in terms ofrefType
. Both definitions are here:specification/schema/bom-1.5.schema.json
Lines 123 to 132 in 8e131b1
specification/schema/bom-1.5.schema.json
Lines 1224 to 1248 in 8e131b1
so
dependsOn
, in simple terms is a list ofString
xml definitions
Here are the same definitions in xml:
refLinkType
andrefType
look the same to me:specification/schema/bom-1.5.xsd
Lines 38 to 55 in 8e131b1
but dependencies is defined as a sequence of
dependencyType
elements:specification/schema/bom-1.5.xsd
Lines 1783 to 1798 in 8e131b1
so it's a recursive type, in comparison to a list of Strings in json. Beside the simplification of String vs
reftype
etc, this makes it so that a dependency tree of multiple levels, say 3, it's invalid in json but valid in xml.valid dependencies according to the test resources
Here there is a "valid xml dependency" according to the test resources:
specification/tools/src/test/resources/1.5/valid-compositions-1.5.xml
Lines 28 to 33 in 8e131b1
Note that the top dependency's children both are declared as
dependency
and have aref
attribute.On the other side, the "valid json dependency" here
specification/tools/src/test/resources/1.5/valid-dependency-1.5.json
Lines 26 to 37 in 8e131b1
contains a
dependsOn
element "library-c" which clearly is not adependency
highlighted by the lack the requiredref
property. Taking into account that json schema supports recursion in arrays it looks to me like this could have been modeled the same way as the xml counterpart. Just to be sure, I tried an online json schema validator using what I would expect to get hereI've encountered multiple discrepancies between the specifications, fields that are attachment in one and textattachments in other, types that have one single field in one but two in other, etc.
This leaves me wondering.. are they not supposed to match? If not, should this be documented somewhere? What are the consequences of having a same bom that serialized in json and xml convey different information?
The text was updated successfully, but these errors were encountered: