fix(ProtoBuf,XML): component data repeatable (#530)

fixes <#518>

---------

Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Co-authored-by: andreas-hilti <[email protected]>

Author: jkowalleck

schema/bom-1.6.proto

@@ -140,7 +140,7 @@ message Component {
   // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.
   optional ModelCard modelCard = 25;
   // This object SHOULD be specified for any component of type `data` and must not be specified for other component types.
-  optional ComponentData data = 26;
+  repeated ComponentData data = 26;
   // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.
   optional CryptoProperties cryptoProperties = 27;
   // The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `.authors` instead.

schema/bom-1.6.xsd

@@ -698,7 +698,7 @@ limitations under the License.
                         type `machine-learning-model` and must not be specified for other component types.</xs:documentation>
                 </xs:annotation>
             </xs:element>
-            <xs:element name="data" type="bom:componentDataType" minOccurs="0" maxOccurs="1">
+            <xs:element name="data" type="bom:componentDataType" minOccurs="0" maxOccurs="unbounded">
                 <xs:annotation>
                     <xs:documentation>This object SHOULD be specified for any component of type `data` and must not be
                         specified for other component types.</xs:documentation>

tools/src/test/resources/1.6/valid-component-data-1.6.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:1b1bff0e-fdb9-4088-8b9a-1a9f2d9006da",
+  "version": 1,
+  "components": [
+    {
+      "type": "data",
+      "name": "my-configs",
+      "version": "1337",
+      "data": [
+        {
+          "type": "configuration",
+          "name": "app.ini",
+          "contents": {
+            "url": "https://example.com/cfg/1337/app.ini"
+          }
+        },
+        {
+          "type": "other",
+          "name": ".env",
+          "contents": {
+            "url": "https://example.com/cfg/1337/env"
+          }
+        }
+      ]
+    }
+  ]
+}

tools/src/test/resources/1.6/valid-component-data-1.6.textproto

@@ -0,0 +1,25 @@
+# proto-file: schema/bom-1.6.proto
+# proto-message: Bom
+
+spec_version: "1.6"
+version: 1
+serial_number: "urn:uuid:1b1bff0e-fdb9-4088-8b9a-1a9f2d9006da"
+components {
+    type: CLASSIFICATION_DATA
+    name: "my-configs"
+    version: "1337"
+    data {
+       type: COMPONENT_DATA_TYPE_CONFIGURATION
+        name: "app.data"
+        contents {
+            url: "https://example.com/cfg/1337/app.ini"
+        }
+    }
+    data {
+        type: COMPONENT_DATA_TYPE_OTHER
+        name: ".env"
+        contents {
+            url: "https://example.com/cfg/1337/env"
+        }
+    }
+}

tools/src/test/resources/1.6/valid-component-data-1.6.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<bom serialNumber="urn:uuid:1b1bff0e-fdb9-4088-8b9a-1a9f2d9006da" version="1"
+     xmlns="http://cyclonedx.org/schema/bom/1.6">
+    <components>
+        <component type="data">
+            <name>my-configs</name>
+            <version>1337</version>
+            <data>
+                <type>configuration</type>
+                <name>app.ini</name>
+                <contents>
+                    <url>https://example.com/cfg/1337/app.ini</url>
+                </contents>
+            </data>
+            <data>
+                <type>other</type>
+                <name>.env</name>
+                <contents>
+                    <url>https://example.com/cfg/1337/env</url>
+                </contents>
+            </data>
+        </component>
+    </components>
+</bom>

tools/src/test/resources/1.6/valid-component-types-1.6.json

@@ -44,6 +44,11 @@
       "type": "file",
       "name": "file-a",
       "version": "1.0"
+    },
+    {
+      "type": "data",
+      "name": "data-a",
+      "version": "1.0"
     }
   ]
 }

tools/src/test/resources/1.6/valid-component-types-1.6.textproto

@@ -44,3 +44,8 @@ components {
   name: "file-a"
   version: "1.0"
 }
+components {
+  type: CLASSIFICATION_DATA
+  name: "data-a"
+  version: "1.0"
+}

tools/src/test/resources/1.6/valid-component-types-1.6.xml

@@ -33,5 +33,9 @@
             <name>file-a</name>
             <version>1.0</version>
         </component>
+        <component type="data">
+            <name>data-a</name>
+            <version>1.0</version>
+        </component>
     </components>
 </bom>