refactor: metadata distribution to be an object (#653)

Refactored `metadata.distribution` to be more verbose in its name, and
made it more versatile by converting it to an "object" with "TLP" as a
property.

caused by
#603 (comment)

Author: jkowalleck

schema/bom-1.7.proto

@@ -564,6 +564,11 @@ enum LicensingTypeEnum {
 }
 
 message Metadata {
+  message DistributionConstraints {
+    // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes.
+    optional TlpClassification tlp = 1;
+  }
+
   // The date and time (timestamp) when the document was created.
   optional google.protobuf.Timestamp timestamp = 1;
   // The tool(s) used in the creation of the BOM.
@@ -585,8 +590,8 @@ message Metadata {
   repeated Lifecycles lifecycles = 9;
   // The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead.
   optional OrganizationalEntity manufacturer = 10;
-  // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes.
-  optional TlpClassification distribution = 11;
+  // Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.
+  optional DistributionConstraints distributionConstraints = 11;
 }
 
 message Lifecycles {

schema/bom-1.7.schema.json

@@ -730,10 +730,17 @@
           "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.",
           "items": {"$ref": "#/definitions/property"}
         },
-        "distribution": {
-          "title": "Distribution",
-          "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes.",
-          "$ref": "#/definitions/tlpClassification"
+        "distributionConstraints": {
+          "title": "Distribution Constraints",
+          "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.",
+          "type": "object",
+          "properties": {
+            "tlp": {
+              "$ref": "#/definitions/tlpClassification",
+              "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."
+            }
+          },
+          "additionalProperties": false
         }
       }
     },

schema/bom-1.7.xsd

@@ -256,11 +256,25 @@ limitations under the License.
                         Formal registration is optional.</xs:documentation>
                 </xs:annotation>
             </xs:element>
-            <xs:element name="distribution" type="bom:tlpClassificationType" default="CLEAR" minOccurs="0" maxOccurs="1">
+            <xs:element name="distributionConstraints" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
-                    <xs:documentation>The Traffic Light Protocol (TLP) classification that controls the sharing and distribution
-                        of the data that the BOM describes.</xs:documentation>
+                    <xs:documentation>
+                        Conditions and constraints governing the sharing and distribution of the data or components
+                        described by this BOM.
+                    </xs:documentation>
                 </xs:annotation>
+                <xs:complexType>
+                    <xs:sequence>
+                        <xs:element name="tlp" type="bom:tlpClassificationType" default="CLEAR" minOccurs="0" maxOccurs="1">
+                            <xs:annotation>
+                                <xs:documentation>
+                                    The Traffic Light Protocol (TLP) classification that controls the sharing and
+                                    distribution of the data that the BOM describes.
+                                </xs:documentation>
+                            </xs:annotation>
+                        </xs:element>
+                    </xs:sequence>
+                </xs:complexType>
             </xs:element>
             <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
                 <xs:annotation>

tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json

@@ -5,7 +5,9 @@
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "distribution": "RED"
+    "distributionConstraints": {
+      "tlp": "RED"
+    }
   },
   "components": []
 }

tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto

@@ -5,5 +5,7 @@ spec_version: "1.7"
 version: 1
 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
 metadata {
-  distribution: TLP_CLASSIFICATION_RED
+  distributionConstraints {
+    tlp: TLP_CLASSIFICATION_RED
+  }
 }

tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml

@@ -1,7 +1,9 @@
 <?xml version="1.0"?>
 <bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
     <metadata>
-        <distribution>RED</distribution>
+        <distributionConstraints>
+            <tlp>RED</tlp>
+        </distributionConstraints>
     </metadata>
     <components />
 </bom>