fix(ProtoBuf): Component.evidence optional

[jkowalleck]

fixes #422
by reverting the unreleased 19a1530 & acc5f3a
as discussed here: #422 (comment)

[jkowalleck]

@nscuro @andreas-hilti ,

May I ask you for a review?

Would you consider this a breaking change? I've read https://protobuf.dev/programming-guides/dos-donts/#repeated-to-scalarin that subject matter.

[andreas-hilti]

For protobufs with a single evidence entry, it would be compatible, compare also:
https://protobuf.dev/programming-guides/proto3/#updating
However, for protobufs with multiple evidence entries, the merging of the elements will lead to a different behavior than what is specified in the comment (namely ignoring all but the first entry).
Thus, I tend to think it would be a breaking change.

[jkowalleck]

Sorry for the confusion.

However, for protobufs with multiple evidence entries, the merging of the elements will lead to a different behavior than what is specified in the comment (namely ignoring all but the first entry).
Thus, I tend to think it would be a breaking change.

The current comment was a proposed fix for #422.
A fix that

1. is not released, yet
2. was made under the (false?) impression that repeated -> optional would be breaking.

The 1.6.0 diff would be the following: 1.6...jkowalleck:fork_CycloneDX-specification:fix/protobuuf-component-evidence-optional#diff-31a634760e9b4432c392ead00601567422a8cc12ac462dead1a7f7ab9fa90fdb

[jkowalleck]

@nscuro @andreas-hilti ,

May I ask you for a review?
The actual 1.6.0 diff would be the following: 1.6...jkowalleck:fork_CycloneDX-specification:fix/protobuuf-component-evidence-optional#diff-31a634760e9b4432c392ead00601567422a8cc12ac462dead1a7f7ab9fa90fdb

[jkowalleck]

Only the first item in the optional repeated list is to be taken into account; every other item in the list is to be ignored/omitted.

this was an early idea to solve the same issue. it was never publishe / released.
therefore, it is not binding.