[BUG] VulnerabilityReference contradicting definition in JSON and XML

[jkowalleck]

In XML schema definition for CDX-1.4 vulnerabilityType.references.reference the id and source are defined optional (minOccurs="0")
see

specification/schema/bom-1.4.xsd

Lines 1785 to 1797 in ef71717

	<xs:sequence minOccurs="1" maxOccurs="1">
	<xs:element name="id" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
	<xs:annotation>
	<xs:documentation>The identifier that uniquely identifies the vulnerability. For example:
	CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.</xs:documentation>
	</xs:annotation>
	</xs:element>
	<xs:element name="source" type="bom:vulnerabilitySourceType" minOccurs="0" maxOccurs="1">
	<xs:annotation>
	<xs:documentation>The source that published the vulnerability.</xs:documentation>
	</xs:annotation>
	</xs:element>
	</xs:sequence>

In JSON schema definition for CDX-1.4 the /definitions/vulnerability/properties/references/items the id and source are mandatory (they are in list of required)
see

specification/schema/bom-1.4.schema.json

Lines 1455 to 1458 in ef71717

	"required": [
	"id",
	"source"
	],

these both definitions contradict each other.

please clarify which one is correct (a discussion/comment in here would be great for the start)
and have the XSD & JSON-schema alligned.

[stevespringett]

cc: @coderpatros @DarthHater

[stevespringett]

For vulnerabilities themselves, the id and source are optional because they have to be (support for unknown vulns, etc)

For vulnerability references however, I cannot think of a scenario where the id and source would be optional. Therefore if this is the case, then I believe the proper fix would be to update the XSD and .proto to make those two fields required to match the JSON. However, this may be a breaking change to proto (which also lists these two fields as optional).

Need your input @coderpatros and @DarthHater