Skip to content

Implements conditional subschemas based on component type #774

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stevespringett wants to merge 1 commit into
base: 2.0-dev
Choose a base branch
from
Open

Implements conditional subschemas based on component type #774

stevespringett wants to merge 1 commit into from
+74 −17

Conversation

@stevespringett
Copy link
Member

@stevespringett stevespringett commented Jan 13, 2026

Implements and closes #638

@stevespringett stevespringett added this to the 2.0 milestone Jan 13, 2026
@stevespringett stevespringett requested a review from a team as a code owner January 13, 2026 00:39
@stevespringett stevespringett added the CDX 2.0 related to release v2.0 label Jan 13, 2026
@stevespringett stevespringett linked an issue Jan 13, 2026 that may be closed by this pull request
CycloneDX 2.0 - Constrain Properties to Applicable Types #638
Open
Copilot AI reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements conditional subschemas for component properties based on component type, as specified in issue #638. The changes enforce that certain properties (modelCard, data, cryptoProperties) can only be used with specific component types.

Changes:

  • Removed modelCard, data, and cryptoProperties from the main component properties section
  • Added conditional subschemas using allOf with if-then-else logic to enforce type-specific property usage
  • Added a new conditional requirement for hardware components to prevent swid and purl specification

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Mehrn0ush
Copy link
Contributor

Mehrn0ush commented Feb 10, 2026
edited
Loading

Hi @stevespringett — quick catch on “Version Range Requirement” (around line 281), unless I’m misunderstanding the intent:

Right now the rule triggers on the presence of versionRange, and the then clause only constrains isExternal to be true if isExternal is present. Since isExternal is not required there, an object can still include versionRange while omitting isExternal, and it will pass validation.

If the intent is “versionRange may only be used when isExternal is true” (as the versionRange field description suggests), a more direct pattern would be:

{
  "if": { "required": ["versionRange"] },
  "then": {
    "properties": { "isExternal": { "const": true } },
    "required": ["isExternal"]
  }
}

One small wording consistency nit: the Version Range rule description currently reads “versionRange must not be present when isExternal is false”, while the versionRange field description says “May only be used if isExternal is true.” These are closely related, but it might be worth aligning the phrasing so the intent is unambiguous (and easier to carry into spec text later).

@stevespringett
Copy link
Member Author

stevespringett commented Feb 11, 2026

@Mehrn0ush thank you for the thorough review.

Right now the rule triggers on the presence of versionRange, and the then clause only constrains isExternal to be true if isExternal is present. Since isExternal is not required there, an object can still include versionRange while omitting isExternal, and it will pass validation.

I believe that is accurate and captures the current behavior in v1.7

If the intent is “versionRange may only be used when isExternal is true” (as the versionRange field description suggests), a more direct pattern would be:

@jkowalleck I know you worked on this. What are your thoughts. I attempted to keep the existing logic in place - and I think I have.

One small wording consistency nit: the Version Range rule description currently reads “versionRange must not be present when isExternal is false”, while the versionRange field description says “May only be used if isExternal is true.” These are closely related, but it might be worth aligning the phrasing so the intent is unambiguous (and easier to carry into spec text later).

I'm open to improving the wording. Suggestions.

As far as the design goes. This issue passes the public RFC comment period.

@stevespringett
Copy link
Member Author

stevespringett commented Feb 11, 2026

Actually, this was a defect, so no comment period was necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jkowalleck jkowalleck Awaiting requested review from jkowalleck

Assignees

No one assigned

Labels

CDX 2.0 related to release v2.0

Projects

None yet

Milestone

2.0

Development

Successfully merging this pull request may close these issues.

CycloneDX 2.0 - Constrain Properties to Applicable Types

2 participants

@stevespringett @Mehrn0ush