Add test files

Author: mr-zepol

src/test/resources/1.7/informal-invalid-component-versionRange-non-external-explicit.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <!--
+    this would be formal, if the support for XSD1.1's `assert` was properly implemented
+    in validators and tools digesting XML.
+    -->
+    <components>
+        <component type="library" isExternal="false">
+            <name>InvalidVersions</name>
+            <versionRange><![CDATA[vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1]]></versionRange>
+            <description>versionRange may only exist on extraneous components, set `isExternal` explicit</description>
+        </component>
+    </components>
+</bom>

src/test/resources/1.7/informal-invalid-component-versionRange-non-external-implicit.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <!--
+    this would be formal, if the support for XSD1.1's `assert` was properly implemented
+    in validators and tools digesting XML.
+    -->
+    <components>
+        <component type="library">
+            <!-- @isExternal defaults to `false` -->
+            <name>InvalidVersions</name>
+            <versionRange><![CDATA[vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1]]></versionRange>
+            <description>versionRange may only exist on extraneous components, set `isExternal` implicit by default value</description>
+        </component>
+    </components>
+</bom>

src/test/resources/1.7/invalid-bomformat-1.7.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "AnotherFormat",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+  ]
+}

src/test/resources/1.7/invalid-citations-1.7.json

@@ -0,0 +1,40 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2025-05-01T14:23:00Z"
+  },
+  "components": [
+    {
+      "type": "library",
+      "bom-ref": "component-1",
+      "name": "example-lib",
+      "version": "1.2.3",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        }
+      ]
+    }
+  ],
+  "citations": [
+    {
+      "bom-ref": "citation-1",
+      "pointers": ["/components/0/name"],
+      "timestamp": "2025-05-01T14:00:00Z",
+      "note": "Should have at least one of the following property sets: property 'attributedTo' or property 'process'"
+    },
+    {
+      "bom-ref": "citation-1",
+      "pointers": ["/components/0/name"],
+      "expressions": ["$..[?(@.bom-ref=='component-1')].version"],
+      "timestamp": "2025-05-01T14:00:00Z",
+      "note": "Should not have both a pointer and expression."
+    }
+  ]
+}

src/test/resources/1.7/invalid-citations-1.7.textproto

@@ -0,0 +1,48 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+spec_version: "1.7"
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+version: 1
+
+metadata: {
+  timestamp: {
+    seconds: 1754424907
+    nanos: 0
+  }
+}
+
+components: {
+  type: CLASSIFICATION_LIBRARY
+  bom_ref: "component-1"
+  name: "example-lib"
+  version: "1.2.3"
+  licenses: {
+    license: {
+      id: "Apache-2.0"
+    }
+  }
+}
+
+## !! NO formal check possible
+#citations: {
+#  bom_ref: "citation-1"
+#  pointers: { pointer: "/components/0/name" }
+#  timestamp: {
+#    seconds: 1746108000
+#    nanos: 0
+#  }
+#  note: "Should have at least one of the following property sets: property 'attributedTo' or property 'process'"
+#}
+
+
+citations: {
+  bom_ref: "citation-1"
+  pointers: { pointer: "/components/0/name" }
+  expressions: { expression: "$..[?(bom_ref=='component-1')].version" }
+  timestamp: {
+    seconds: 1746108000
+    nanos: 0
+  }
+  note: "Should not have both a pointer and expression."
+}

src/test/resources/1.7/invalid-citations-1.7.xml

@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+     version="1"
+>
+    <metadata>
+        <timestamp>2025-05-01T14:23:00Z</timestamp>
+        <authors>
+            <author bom-ref="person-1">
+                <name>Alice Example</name>
+                <email>alice@example.com</email>
+            </author>
+        </authors>
+    </metadata>
+    <components>
+        <component type="library" bom-ref="component-1">
+            <name>example-lib</name>
+            <version>1.2.3</version>
+            <licenses>
+                <license>
+                    <id>Apache-2.0</id>
+                </license>
+            </licenses>
+        </component>
+    </components>
+    <formulation>
+        <formula bom-ref="formula-1">
+            <components>
+                <component type="application" bom-ref="scan-tool-1">
+                    <name>My Scan Tool</name>
+                </component>
+            </components>
+            <workflows>
+                <workflow bom-ref="workflow-1">
+                    <uid>259bae74-5ec4-4de8-9386-c91b1f7719b8</uid>
+                    <name>My workflow</name>
+                    <tasks>
+                        <task bom-ref="task-license-scan">
+                            <uid>6d75f8d6-a008-41cf-8b65-c4129fc249f9</uid>
+                            <description>License scan of the source files using OpenSourceScanner v2.1</description>
+                            <taskTypes>
+                                <taskType>scan</taskType>
+                            </taskTypes>
+                        </task>
+                        <task bom-ref="task-license-scan-2">
+                            <uid>dfc0268a-89cb-4823-bb88-84115a06b64d</uid>
+                            <description>License scan of the source files using [REDACTED]</description>
+                            <taskTypes>
+                                <taskType>scan</taskType>
+                            </taskTypes>
+                        </task>
+                    </tasks>
+                    <taskTypes>
+                        <taskType>scan</taskType>
+                    </taskTypes>
+                </workflow>
+            </workflows>
+        </formula>
+    </formulation>
+    <citations>
+        <!-- spec-requirement that is not formalized in the XSD:
+        <citation bom-ref="citation-1">
+            <pointers>
+                <pointer>/components/0/name</pointer>
+            </pointers>
+            <timestamp>2025-05-01T14:00:00Z</timestamp>
+            <note>Should have at least one of the following children 'attributedTo' or 'process'</note>
+        </citation>
+        -->
+        <citation bom-ref="citation-2">
+            <pointers>
+                <pointer>/components/0/licenses/0/license/id</pointer>
+            </pointers>
+            <timestamp>2025-05-01T14:05:00Z</timestamp>
+            <attributedTo>person-1</attributedTo>
+            <attributedTo>scan-tool-1</attributedTo>
+            <note>Should have at max one 'attributedTo'</note>
+        </citation>
+        <citation bom-ref="citation-3">
+            <pointers>
+                <pointer>/components/0/licenses/0/license/id</pointer>
+            </pointers>
+            <timestamp>2025-05-01T14:05:00Z</timestamp>
+            <process>task-license-scan</process>
+            <process>task-license-scan-2</process>
+            <note>Should have at max one 'process'</note>
+        </citation>
+        <citation bom-ref="citation-4">
+            <pointers>
+                <pointer>/components/0/licenses/0/license/id</pointer>
+            </pointers>
+            <expressions>
+                <expression>//*[@bom-ref='component-1']/version</expression>
+            </expressions>
+            <timestamp>2025-05-01T14:05:00Z</timestamp>
+            <process>task-license-scan</process>
+            <note>Should not have both a pointer and expression.</note>
+        </citation>
+    </citations>
+</bom>

src/test/resources/1.7/invalid-component-external-version-and-range.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "InvalidVersions",
+      "description": "may have `version` or `versionRange`, not both. This one does - it is invalid",
+      "version": "9.0.14",
+      "versionRange": "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1",
+      "isExternal": true
+    }
+  ]
+}

src/test/resources/1.7/invalid-component-external-version-and-range.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+     version="1"
+>
+    <components>
+        <component type="library" isExternal="true">
+            <name>InvalidVersions</name>
+            <version>9.0.14</version>
+            <versionRange><![CDATA[vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1]]></versionRange>
+            <description>may have `version` or `versionRange`, not both. This one does - it is invalid</description>
+        </component>
+    </components>
+</bom>

src/test/resources/1.7/invalid-component-ref-1.7.json

@@ -0,0 +1,21 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "bom-ref": "123",
+      "name": "acme-library",
+      "version": "1.0.0"
+    },
+    {
+      "type": "library",
+      "bom-ref": "",
+      "name": "acme-library",
+      "version": "1.0.0"
+    }
+  ]
+}

src/test/resources/1.7/invalid-component-ref-1.7.xml

@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+     version="1"
+>
+    <components>
+        <component type="library" bom-ref="123">
+            <name>acme-library</name>
+            <version>1.0.0</version>
+            <components>
+                <component type="library" bom-ref="123">
+                    <!-- duplicate value in attribute `bom-ref` -->
+                    <name>acme-library</name>
+                    <version>1.0.0</version>
+                </component>
+                <component type="library" bom-ref="123">
+                    <name>acme-library2</name>
+                    <version>1.0.0</version>
+                </component>
+                <component type="library" bom-ref="">
+                    <!-- empty value in attribute `bom-ref` -->
+                    <name>acme-library</name>
+                    <version>1.0.0</version>
+                </component>
+            </components>
+        </component>
+    </components>
+</bom>