Added citation support and test cases.

[stevespringett]

TODO/DONE

• JSON schema modified
• XML schema modified
• ProtoBuf schema modified
• JSON examples/test data crafted
• XML examples/test data crafted
• ProtoBuf examples/test data crafted

[jkowalleck]

RFC notice sent on May 1, 2025

• https://groups.io/g/CycloneDX/message/309
• https://cyclonedx.slack.com/archives/CVA0G10FN/p1746132948459179

Public RFC period ended May 29, 2025

[jkowalleck]

@stevespringett i see lacks in the implementation. I'd reject the current version for its unclear implementation.

[jkowalleck]

my remark was clarified. since there is no question left in the spec, this is ready for TC54 vote.

i will fix the current merge conflicts, and i will add additional valid/invalid examples according to spec, and might adjust the schemas to detect the invalid cases if possible.

PS:
got it implemented in XSD via abcc29d
but the Java/Saxon foo is breaking for poor implementation - https://github.com/CycloneDX/specification/actions/runs/16050317279/job/45291176560?pr=630
will revert the XSD improvements. 😭

[jkowalleck]

after reading this spec again, i really do not like it. 👎

the idea of pointer is a horror for most implementations that use (unsorted) sets for data storage. the order of most elements never really mattered, but now it does.
this spec is much to much dependent of schema implementations (XML/JSON/PB) and programming-language implementations.

---

PS:

I understand the idea - have something to annotate everything, without the need of adding bom-ref at all objects.
Unfortunately, the proposed spec with pointers is not an ideal solution for the following points.

• it makes transformation (e.g. from JSON to XML) non-trivial/complex/hard - since data structures are not the same in all schemas
• it is not downstream-implementation friendly - since it requires tracking order of elements.

Were alternatives considered during the development of this solution?

[jkowalleck]

per spec, formulations describe how a component came together.

Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process.

per spec, metadata.tools list how the BOM came together.

The tool(s) used in the creation, enrichment, and validation of the BOM.

since this feature intents to annotate/detail how the BOM was made, I would expect to reference one of metadata.tools here, not a formulation.
am i wrong?