Added CPE (2.2/2.3) and hash validation. Removed requirement on semver. Updated to RC1

stevespringett · stevespringett · commit 77ccb62a4a44 · 2018-03-07T22:32:28.000-06:00
diff --git a/schema/bom-1.0.xsd b/schema/bom-1.0.xsd
@@ -7,7 +7,7 @@
            targetNamespace="http://cyclonedx.org/schema/bom/1.0"
            vc:minVersion="1.0"
            vc:maxVersion="1.1"
-           version="1.0-M2">
+           version="1.0-RC1">
 
     <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
 
@@ -32,10 +32,10 @@
                         of the component. Examples: commons-lang3 and jquery</xs:documentation>
                 </xs:annotation>
             </xs:element>
-            <xs:element name="version" type="bom:semver" minOccurs="1" maxOccurs="1">
+            <xs:element name="version" type="xs:normalizedString" minOccurs="1" maxOccurs="1">
                 <xs:annotation>
-                    <xs:documentation>The component version. The version should comply to the semantic versioning
-                    specification.</xs:documentation>
+                    <xs:documentation>The component version. The version should ideally comply with semantic versioning
+                    but is not enforced.</xs:documentation>
                 </xs:annotation>
             </xs:element>
             <xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
@@ -85,7 +85,7 @@
                     <xs:documentation>An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.</xs:documentation>
                 </xs:annotation>
             </xs:element>
-            <xs:element name="cpe" type="xs:string" minOccurs="0" maxOccurs="1">
+            <xs:element name="cpe" type="bom:cpe" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe</xs:documentation>
                 </xs:annotation>
@@ -142,7 +142,7 @@
             <xs:documentation>Specifies the file hash of the component</xs:documentation>
         </xs:annotation>
         <xs:simpleContent>
-            <xs:extension base="xs:string">
+            <xs:extension base="bom:hashValue">
                 <xs:attribute name="alg" type="bom:hashAlg" use="required">
                     <xs:annotation>
                         <xs:documentation>Specifies the algorithm used to create hash</xs:documentation>
@@ -191,10 +191,21 @@
             <xs:enumeration value="SHA3-512"/>
         </xs:restriction>
     </xs:simpleType>
-
-    <xs:simpleType name="semver">
+    
+    <xs:simpleType name="hashValue">
         <xs:restriction base="xs:token">
-            <xs:pattern value="(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(-(0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(\.(0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*)?(\+[0-9a-zA-Z-]+(\.[0-9a-zA-Z-]+)*)?"/>
+            <xs:pattern value="([a-fA-F0-9]{32})|([a-fA-F0-9]{40})|([a-fA-F0-9]{64})|([a-fA-F0-9]{128})"/>
+        </xs:restriction>
+    </xs:simpleType>
+    
+    <xs:simpleType name="cpe">
+        <xs:annotation>
+            <xs:documentation xml:lang="en">
+                Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
+            </xs:documentation>
+        </xs:annotation>
+        <xs:restriction base="xs:string">
+            <xs:pattern value="([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})|(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!&quot;#$$%&amp;'\(\)\+,/:;&lt;=&gt;@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!&quot;#$$%&amp;'\(\)\+,/:;&lt;=&gt;@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4})"/>
         </xs:restriction>
     </xs:simpleType>
 
