Re: [Buildroot] [PATCH v5 1/8] utils/generate-cyclonedx: use tuple for version

From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Quentin Schulz <quentin.schulz@cherry.de>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v5 1/8] utils/generate-cyclonedx: use tuple for version
Date: Thu,  9 Apr 2026 22:27:23 +0200	[thread overview]
Message-ID: <20260409202723.300317-1-thomas.perale@mind.be> (raw)
In-Reply-To: <af55c098-2733-49fa-8d98-ffeb8072de94@cherry.de>

Hi Quentin,

> How about generating the version with
> 
> '.'.join(str(x) for x in CYCLONEDX_VERSION)
> ? This way, we support when there are patch versions as well (1.6.1 exists after all).
> 
> Maybe a class for the version would be best, then we can convert to (__init__) and from (__str__) the class to a string and compare two versions against each other (using tuples or list for example; __eq__/__lt__).
> 
> Now I'm wondering whether the SPDX schema version needs to be in sync with the BOM schema? Because while there exists a 1.6.1 SPDX schema which differs from 1.6 SPDX schema, see commit 5f3ee8066491 ("Updating SPDX license list to 3.24.0."), the BOM schema too is different but it's kept under the same name of bom-1.6.schema.json (and the $id is the same).
> 
> Also, are we validating that our SBOM generated by this script is actually CycloneDX version X.Y compatible? Should we download the bom-1.6.schema.json and validate it with e.g. jsonschema?

It's true that 1.6.1 exists ... Good catch, i will rework this part and take into account your comments.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot