Skip to content

Latest commit

 

History

History
3524 lines (1882 loc) · 140 KB

CHANGELOG.md

File metadata and controls

3524 lines (1882 loc) · 140 KB

CHANGELOG

v8.5.0 (2024-11-18)

Documentation

  • docs: remove invalid docsting note about auto-assigned bom-ref values (#733) (5aa5787)

Feature

  • feat: support CycloneDX 1.6.1 (#742)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (55eafed)

v8.4.0 (2024-10-29)

Feature

  • feat: add factory method XsUri.make_bom_link() (#728)

Signed-off-by: Saquib Saifee <saquibsaifee@ibm.com> Co-authored-by: Saquib Saifee <saquibsaifee@ibm.com> (5ec73d0)

Fix

  • fix: no warning for missing dependencies if no component exists (#720)

Signed-off-by: weichslgartner <weichslgartner@gmail.com> (d9c3ded)

Unknown

  • doc: fix Definitions docstring (#731)

Signed-off-by: Hakan Dilek <hakandilek@gmail.com> (5860b67)

v8.3.0 (2024-10-26)

Documentation

  • docs: revisit examples readme (#725)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e9020f0)

Feature

  • feat: add basic support for Definitions (#701)

Signed-off-by: Hakan Dilek <hakandilek@gmail.com> (a1573e5)

v8.2.1 (2024-10-24)

Fix

  • fix: encode quotation mark in URL (#724)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a7c7c97)

v8.2.0 (2024-10-22)

Feature

  • feat: Add Python 3.13 support (#718)

Signed-off-by: gruebel <anton.gruebel@gmail.com> (d4be3ba)

v8.1.0 (2024-10-21)

Documentation

  • docs: fix code examples regarding outputting (#709)

Signed-off-by: Hakan Dilek <hakandilek@gmail.com> (c72d5f4)

Feature

  • feat: add support for Lifecycles in BOM metadata (#698)

Signed-off-by: Johannes Feichtner <johannes@web-wack.at> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: Johannes Feichtner <343448+Churro@users.noreply.github.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (6cfeb71)

v8.0.0 (2024-10-14)

Breaking

  • feat!: v8.0.0 (#665)

BREAKING Changes

  • Removed cyclonedx.mode.ThisTool, utilize cyclonedx.builder.this.this_tool() instead.
  • Moved cyclonedx.model.Tool to cyclonedx.model.tool.Tool.
  • Property cyclonedx.mode.bom.BomMetaData.tools is of type cyclonedx.model.tool.ToolRepository now, was SortedSet[cyclonedx.model.Tool].
    The getter will act accordingly; the setter might act in a backwards-compatible way.
  • Property cyclonedx.mode.vulnerability.Vulnerability.tools is of type cyclonedx.model.tool.ToolRepository now, was SortedSet[cyclonedx.model.Tool].
    The getter will act accordingly; the setter might act in a backwards-compatible way.
  • Constructor cyclonedx.model.license.LicenseExpression() accepts optional argument acknowledgement only as key-word argument, no longer as positional argument.

Changes

  • Constructor of cyclonedx.model.bom.BomMetaData also accepts an instance of cyclonedx.model.tool.ToolRepository for argument tools.
  • Constructor of cyclonedx.model.bom.BomMetaData no longer adds this very library as a tool.
    Downstream users SHOULD add it manually, like my-bom.metadata.tools.components.add(cyclonedx.builder.this.this_component()).

Fixes

  • Deserialization of CycloneDX that do not include tools in the metadata are no longer unexpectedly modified/altered.

Added

Enabled Metadata Tools representation and serialization in accordance with CycloneDX 1.5

  • New class cyclonedx.model.tool.ToolRepository.
  • New function cyclonedx.builder.this.this_component() -- representation of this very python library as a Component.
  • New function cyclonedx.builder.this.this_tool() -- representation of this very python library as a Tool.
  • New function cyclonedx.model.tool.Tool.from_component().

Dependencies

  • Raised runtime dependency py-serializable&gt;=1.1.1,&lt;2, was &gt;=1.1.0,&lt;2.

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: Joshua Kugler <tek30584@adobe.com> Signed-off-by: semantic-release <semantic-release@bot.local> Co-authored-by: Joshua Kugler <joshua@azariah.com> Co-authored-by: semantic-release <semantic-release@bot.local> (002f966)

Documentation

  • docs(chaneglog): omit chore/ci/refactor/style/test/build (#703)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a210809)

v7.6.2 (2024-10-07)

Documentation

  • docs: fix some doc strings

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (4fa8fc1)

Fix

  • fix: behavior of and typing for crypto setters with optional values (#694)

fixes #690


Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (d8b20bd)

v7.6.1 (2024-09-18)

Fix

  • fix: file copyright headers (#676)

utilizes flake8 plugin <https://pypi.org/project/flake8-copyright-validator/> to assert the correct headers

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (35e00b4)

v7.6.0 (2024-08-14)

Feature

  • feat: HashType.from_composite_str for Blake2b, SHA3, Blake3 (#663)

The code mistreated hashes for Blake2b and SHA3. Code for explicitly handling SHA1 & BLAKE3 was added, as those have no variants defined in the CycloneDX specification.

fixes #652


Signed-off-by: Michael Schlenker <michael.schlenker@contact-software.com> Co-authored-by: Michael Schlenker <michael.schlenker@contact-software.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c59036e)

v7.5.1 (2024-07-08)

Fix

  • fix: XML serialize normalizedString and token properly (#646)

fixes #638


Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b40f739)

v7.5.0 (2024-07-04)

Feature

  • feat: add workaround property for v1.5 and v1.6 (#642)

Property workaround was missing from the vulnerability model. It was added in spec v1.5 and was marked as TODO before.

This is my first contribution on this project so if I done something wrong, just say me 😃

Signed-off-by: Louis Maillard <louis.maillard@savoirfairelinux.com> Signed-off-by: Louis Maillard <louis.maillard@protonmail.com> Co-authored-by: Louis Maillard <louis.maillard@savoirfairelinux.com> (b5ebcf8)

v7.4.1 (2024-06-12)

Documentation

  • docs: exclude dep bumps from changelog (#627)

fixes #616


Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (60361f7)

Fix

  • fix: cyclonedx.model.Property.value value is optional (#631)

cyclonedx.model.Property.value value is optional, in accordance with the spec.

fixes #630


Signed-off-by: Michael Schlenker <michael.schlenker@contact-software.com> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Co-authored-by: Michael Schlenker <michael.schlenker@contact-software.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (ad0f98b)

v7.4.0 (2024-05-23)

Documentation

  • docs: OSSP best practice percentage

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (75f58dc)

Feature

  • feat: updated SPDX license list to v3.24.0 (#622)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3f9770a)

v7.3.4 (2024-05-06)

Fix

  • fix: allow suppliers with empty-string names (#611)

fixes #600


Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b331aeb)

v7.3.3 (2024-05-06)

Fix

  • fix: json validation allow arbitrary $schema value (#613)

fixes #612


Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (08b7c60)

v7.3.2 (2024-04-26)

Fix

  • fix: properly sort components based on all properties (#599)

reverts #587 - as this one introduced errors fixes #598 fixes #586


Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: Paul Horton <paul.horton@owasp.org> Co-authored-by: Paul Horton <paul.horton@owasp.org> (8df488c)

v7.3.1 (2024-04-22)

Fix

  • fix: include all fields of Component in __lt__ function for #586 (#587)

Fixes #586.

Signed-off-by: Paul Horton <paul.horton@owasp.org> (d784685)

v7.3.0 (2024-04-19)

Feature

  • feat: license factory set acknowledgement (#593)

add a parameter to LicenseFactory.make_*() methods, to set the LicenseAcknowledgement.

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (7ca2455)

v7.2.0 (2024-04-19)

Feature

  • feat: disjunctive license acknowledgement (#591)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (9bf1839)

Unknown

  • doc: poor merge resolved

Signed-off-by: Paul Horton <paul.horton@owasp.org> (a498faa)

v7.1.0 (2024-04-10)

Documentation

  • docs: missing schema support table & update schema support to reflect version 7.0.0 (#584)

Signed-off-by: Paul Horton <paul.horton@owasp.org> (d230e67)

Feature

  • feat: support bom.properties for CycloneDX v1.5+ (#585)

Signed-off-by: Paul Horton <paul.horton@owasp.org> (1d1c45a)

v7.0.0 (2024-04-09)

Breaking

  • feat!: Support for CycloneDX v1.6

  • added draft v1.6 schemas and boilerplate for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • re-generated test snapshots for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • note bom.metadata.manufacture as deprecated

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • work on bom.metadata for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • Deprecated .component.author. Added .component.authors and .component.manufacturer

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • work to add .component.omniborid - but tests deserialisation tests fail due to schema differences (.component.author not in 1.6)

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • work to get deserialization tests passing

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • chore(deps): bump py-serializable to >=1.0.3 to resolve issues with deserialization to XML

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • imports tidied

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • properly added .component.swhid

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • add .component.cryptoProperties - with test failures for SchemaVersion < 1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • typing and bandit ignores

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • coding standards

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • test filtering

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • coding standards

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • additional tests to increase code coverage

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • corrected CryptoMode enum

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • coding standards

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • Added address to organizationalEntity

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • Added address to organizationalEntity

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • raise UserWarning in .component.version has length > 1024

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • coding standards and typing

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • add acknowledgement to LicenseExpression (#582)

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • more proper way to filter test cases

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • update schema to published versions

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • fetch schema 1.6 JSON

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • fetch test data for CDX 1.6

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • reformat

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • reformat

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • refactor

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • style

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • refactor

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • docs

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>


Signed-off-by: Paul Horton <paul.horton@owasp.org> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (8bbdf46)

v6.4.4 (2024-03-18)

Fix

  • fix: wrong extra name for xml validation (#571)

Signed-off-by: Christoph Reiter <reiter.christoph@gmail.com> (10e38e2)

v6.4.3 (2024-03-04)

Fix

  • fix: serialization of model.component.Diff (#557)

Fixes #556


Signed-off-by: rcross-lc <151086351+rcross-lc@users.noreply.github.com> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (22fa873)

v6.4.2 (2024-03-01)

Build

  • build: use poetry v1.8.1 (#560)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (6f81dfa)

Documentation

  • docs: update architecture description and examples (#550)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a19fd28)

  • docs: exclude internal docs from rendering (#545)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (7e55dfe)

Unknown

  • docs

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (63cff7e)

  • docs (#546)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b0e5b43)

v6.4.1 (2024-01-30)

Documentation

  • docs: ship docs with sdist build (#544)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (52ef01c)

  • docs: refactor example

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c1776b7)

Fix

  • fix: model.BomRef no longer equal to unset peers (#543)

    fixes #539


Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (1fd7fee)

v6.4.0 (2024-01-22)

Documentation

  • docs: add OpenSSF Best Practices shield (#532)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (59c4381)

Feature

  • feat: support py-serializable v1.0 (#531)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e1e7277)

v6.3.0 (2024-01-06)

Documentation

  • docs: add Documentation url to project meta

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (1080b73)

  • docs: add Documentation url to project meta

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c4288b3)

Feature

  • feat: enable dependency py-serializable 0.17 (#529)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (9f24220)

v6.2.0 (2023-12-31)

Build

  • build: allow additional major-version RC branch patterns

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (f8af156)

Documentation

  • docs: fix typo

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (2563996)

  • docs: update intro and description

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (f0bd05d)

  • docs: buld docs on ubuntu22.04 python311

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b3e9ab7)

Feature

  • feat: allow lxml requirement in range of &gt;=4,&lt;6 (#523)

Updates the requirements on lxml to permit the latest version.


updated-dependencies:

  • dependency-name: lxml dependency-type: direct:production ...

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (7d12b9a)

Unknown

  • docs

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (7dcd166)

v6.1.0 (2023-12-22)

Feature

  • feat: add function to map python hashlib algorithms to CycloneDX (#519)

new API: model.HashType.from_hashlib_alg()

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (81f8cf5)

v6.0.0 (2023-12-10)

Breaking

  • feat!: v6.0.0 (#492)

Breaking Changes

  • Removed symbols that were already marked as deprecated (via #493)
  • Removed symbols in parser.* (#489 via #495)
  • Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
  • Serialization of unsupported enum values might downgrade/migrate/omit them (#490 via #496)
    Handling might raise warnings if a data loss occurred due to omitting.
    The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered.
  • Serialization of any model.component.Component with unsupported type raises exception.serialization.SerializationOfUnsupportedComponentTypeException (#490 via #496)
  • Object model.bom_ref.BomRef's property value defaults to Null, was arbitrary UUID (#504 via #505)
    This change does not affect serialization. All bom-refs are guaranteed to have unique values on rendering.
  • Removed helpers from public API (#503 via #506)

Added

  • Basic support for CycloneDX 1.5 (#404 via #488)
    • No data models were enhanced nor added, yet.
      Pull requests to add functionality are welcome.
    • Existing enumerable got new cases, to reflect features of CycloneDX 1.5 (#404 via #488)
    • Outputters were enabled to render CycloneDX 1.5 (#404 via #488)

Tests

  • Created (regression/unit/integration/functional) tests for CycloneDX 1.5 (#404 via #488)
  • Created (regression/functional) tests for Enums' handling and completeness (#490 via #496)

Misc

  • Bumped dependency py-serializable@^0.16, was @^0.15 (via #496)

API Changes — the details for migration

  • Added new sub-package exception.serialization (via #496)
  • Removed class models.ComparableTuple (#503 via #506)
  • Enum model.ExternalReferenceType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed function models.get_now_utc (#503 via #506)
  • Removed function models.sha1sum (#503 via #506)
  • Enum model.component.ComponentType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed model.component.Component.__init__()'s deprecated optional kwarg namespace (via #493)
    Use kwarg group instead.
  • Removed model.component.Component.__init__()'s deprecated optional kwarg license_str (via #493)
    Use kwarg licenses instead.
  • Removed deprecated method model.component.Component.get_namespace() (via #493)
  • Removed class models.dependency.DependencyDependencies (#503 via #506)
  • Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg source_name (via #493)
    Use kwarg source instead.
  • Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg source_url (via #493)
    Use kwarg source instead.
  • Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg recommendations (via #493)
    Use kwarg recommendation instead.
  • Removed model.vulnerability.VulnerabilityRating.__init__()'s deprecated optional kwarg score_base (via #493)
    Use kwarg score instead.
  • Enum model.vulnerability.VulnerabilityScoreSource got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
  • Removed deprecated function output.get_instance() (via #493)
    Use function output.make_outputter() instead.
  • Added new class output.json.JsonV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
  • Added new item to dict output.json.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
  • Added new class output.xml.XmlV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
  • Added new item to dict output.xml.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
  • Removed class parser.ParserWarning (#489 via #495)
  • Removed class parser.BaseParser (#489 via #495)
  • Enum schema.SchemaVersion got new case V1_5, to reflect CycloneDX 1.5 (#404 via #488)

Signed-off-by: Johannes Feichtner <johannes@web-wack.at> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: semantic-release <semantic-release> Co-authored-by: Johannes Feichtner <343448+Churro@users.noreply.github.com> Co-authored-by: semantic-release <semantic-release> (74865f8)

v5.2.0 (2023-12-02)

Documentation

  • docs: keywaords & funding (#486)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3189e59)

Feature

  • feat: model.XsUri migrate control characters according to spec (#498)

fixes #497


Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e490429)

v5.1.1 (2023-11-02)

Fix

  • fix: update own externalReferences (#480)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (edb3dde)

v5.1.0 (2023-10-31)

Documentation

  • docs: advance license docs

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (f61a730)

Feature

  • feat: guarantee unique BomRefs in serialization result (#479)

Incorporate output.BomRefDiscriminator on serialization

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a648775)

v5.0.1 (2023-10-24)

Documentation

  • docs: revisit project meta (#475)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c3254d0)

  • docs: fix RTFD build (#476)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b9fcfb4)

Unknown

  • "chore(deps): revert bump python-semantic-release/python-semantic-release (#474)"

This reverts commit 9c3ffac34e89610ccc4f9701444127e1e6f5ee07.

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (aae7304)

v5.0.0 (2023-10-24)

Breaking

  • feat!: v5.0.0 (#440)

BREAKING CHANGES

  • Dropped support for python<3.8 (#436 via #441; enable #433)
  • Reworked license related models, collections, and factories (#365 via #466)
  • Behavior
    • Method model.bom.Bom.validate() will throw exception.LicenseExpressionAlongWithOthersException, if detecting invalid license constellation (#453 via #452)
    • Fixed tuple comparison when unequal lengths (via #461)
  • API
    • Enum schema.SchemaVersion is no longer string-like (#442 via #447)
    • Enum schema.OutputVersion is no longer string-like (#442 via #447)
    • Abstract class output.BaseOutput requires implementation of new method output_format (#446 via #447)
    • Abstract method output.BaseOutput.output_as_string() got new optional parameter indent (#437 via #458)
    • Abstract method output.BaseOutput.output_as_string() accepts arbitrary kwargs (via #458, #462)
    • Removed class factory.license.LicenseChoiceFactory (via #466)
      The old functionality was integrated into factory.license.LicenseFactory.
    • Method factory.license.LicenseFactory.make_from_string()'s parameter name_or_spdx was renamed to value (via #466)
    • Method factory.license.LicenseFactory.make_from_string()'s return value can also be a LicenseExpression (#365 via #466)
      The behavior imitates the old factory.license.LicenseChoiceFactory.make_from_string()
    • Renamed class module.License to module.license.DisjunctliveLicense (#365 via #466)
    • Removed class module.LicenseChoice (#365 via #466)
      Use dedicated classes module.license.DisjunctliveLicense and module.license.LicenseExpression instead
    • All occurrences of models.LicenseChoice were replaced by models.licenses.License (#365 via #466)
    • All occurrences of SortedSet[LicenseChoice] were specialized to models.license.LicenseRepository (#365 via #466)

Fixed

  • Serialization of multy-licenses (#365 via #466)
  • Detect unused "dependent" components in model.bom.validate() (via #464)

Changed

  • Updated latest supported list of supported SPDX license identifiers (via #433)
  • Shipped schema files are moved to a protected space (via #433)
    These files were never intended for public use.
  • XML output uses a default namespace, which makes results smaller. (#438 via #458)

Added

  • Support for Python 3.12 (via #460)
  • JSON- & XML-Validators (#432, #446 via #433, #448)
    The functionality might require additional dependencies, that can be installed with the extra "validation".
    See the docs in section "Installation" for details.
  • JSON & XML can be generated in a more human-friendly form (#437, #438 via #458)
  • Type hints, typings & overloads for better integration downstream (via #463)
  • API
    • New function output.make_outputter() (via #469)
      This replaces the deprecated function output.get_instance().
    • New sub-package validation (#432, #446 via #433, #448, #469, #468, #469)
    • New class exception.MissingOptionalDependencyException (#432 via #433)
    • New class exception.LicenseExpressionAlongWithOthersException (#453 via #452)
    • New dictionaries output.{json,xml}.BY_SCHEMA_VERSION (#446 via #447)
    • Existing implementations of class output.BaseOutput now have a new method output_format (#446 via #447)
    • Existing implementations of method output.BaseOutput.output_as_string() got new optional parameter indent (#437 via #458)
    • Existing implementations of method output.BaseOutput.output_to_file() got new optional parameter indent (#437 via #458)
    • New method factory.license.LicenseFactory.make_with_expression() (via #466)
    • New class model.license.DisjunctiveLicense (#365 via #466)
    • New class model.license.LicenseExpression (#365 via #466)
    • New class model.license.LicenseRepository (#365 via #466)
    • New class serialization.LicenseRepositoryHelper (#365 via #466)

Deprecated

  • Function output.get_instance() might be removed, use output.make_outputter() instead (via #469)

Tests

  • Added validation tests with official CycloneDX schema test data (#432 via #433)
  • Use proper snapshots, instead of pseudo comparison (#437 via #464)
  • Added regression test for bug #365 (via #466, #467)

Misc

  • Dependencies: bumped py-serializable@^0.15.0, was @^0.11.1 (via #458, #463, #464, #466)
  • Style: streamlined quotes and strings (via #472)
  • Chore: bumped internal dev- and QA-tools (#436 via #441, #472)
  • Chore: added more QA tools to prevent common security issues (via #473)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: Jan Kowalleck <jan.kowalleck@owasp.org> Signed-off-by: semantic-release <semantic-release> Co-authored-by: semantic-release <semantic-release> (26b151c)

v4.2.3 (2023-10-16)

Fix

  • fix: SPDX-expression-validation internal crashes are cought and handled (#471)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (5fa66a0)

v4.2.2 (2023-09-14)

Documentation

  • docs: fix shield in README

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (6a941b1)

  • docs(example): showcase LicenseChoiceFactory (#428)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c56ec83)

Fix

  • fix: ship meta files (#434)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3a1a8a5)

v4.2.1 (2023-09-06)

Fix

  • fix: LicenseChoiceFactory.make_from_string() prioritize SPDX id over expression (#427)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e1bdfdd)

v4.2.0 (2023-09-06)

Feature

  • feat: complete SPDX license expression (#425)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e06f9fd)

v4.1.0 (2023-08-27)

Documentation

  • docs(examples): showcase shorthand dependency management (#403)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (8b32efb)

Feature

  • feat: programmatic access to library's version (#417)

adds cyclonedx.__version__

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3585ea9)

v4.0.1 (2023-06-28)

Documentation

  • docs(examples): README (#399)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (1d262ba)

  • docs: add exaple how to build and serialize (#397)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (65e22bd)

Fix

  • fix: conditional warning if no root dependencies were found (#398)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c8175bb)

Unknown

  • 4.0.1

Automatically generated by python-semantic-release (4a72f51)

  • Add missing space in warning message. (#364)

Signed-off-by: Michael Schlenker <michael.schlenker@contact-software.com> Co-authored-by: Michael Schlenker <michael.schlenker@contact-software.com> (dad0d28)

v4.0.0 (2023-03-20)

Breaking

  • feat: Release 4.0.0 #341)

Highlights of this release include:

  • Support for De-serialization from JSON and XML to this Pythonic Model
  • Deprecation of Python 3.6 support
  • Support for Python 3.11
  • Support for BomLink
  • Support VEX without needing Component in the same Bom
  • Support for services having dependencies

BREAKING CHANGE: Large portions of this library have been re-written for this release and many methods and contracts have changed.

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • feat: support VEX without Components in the same BOM

BREAKING CHANGE: Model classes changed to relocated Vulnerability at Bom, not at Component

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • feat: support VEX without Components in the same BOM

BREAKING CHANGE: Model classes changed to relocated Vulnerability at Bom, not at Component

Signed-off-by: Paul Horton <paul.horton@owasp.org>

feat: allow version of BOM to be defined

feat: allow serial_number of BOM to be prescribed

feat: add helper method to get URN for a BOM according to https://www.iana.org/assignments/urn-formal/cdx Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • chore: fix release workflow

  • chore: editorconfig

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • feat: support for deserialization from JSON and XML (#290)

BREAKING CHANGE:

  • feat: drop Python 3.6 support

Signed-off-by: Hakan Dilek <hakandilek@gmail.com> Signed-off-by: Paul Horton <paul.horton@owasp.org> Co-authored-by: Hakan Dilek <hakandilek@gmail.com> Co-authored-by: Hakan Dilek <hakandilek@users.noreply.github.com>

  • fix: update serializable to include XML safety changes

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • feat: Support for Python 3.11 (#349)

  • feat: officially test and support Python 3.11

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • removed unused imports

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • bump poetry to 1.1.12 in CI

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • fix: remove toml as dependency as not used and seems to be breaking Python 3.11 CI

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • fix: removed types-toml from dependencies - not used

Signed-off-by: Paul Horton <paul.horton@owasp.org>


Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • fix: removed autopep8 in favour of flake8 as both have conflicting dependencies now

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • chore: bump dev dependencies

fix: removed setuptools as dependency Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • tests: compoennt versions optional (#350)

  • chore: exclude venv* from QA; add typing to QA

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • tests: component versions are optional

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>


Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • doc: doc updates for new deserialization feature

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • doc: doc updates for contribution

Signed-off-by: Paul Horton <paul.horton@owasp.org>


Signed-off-by: Paul Horton <paul.horton@owasp.org> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: Hakan Dilek <hakandilek@gmail.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> Co-authored-by: Hakan Dilek <hakandilek@gmail.com> Co-authored-by: Hakan Dilek <hakandilek@users.noreply.github.com> (8fb1b14)

Unknown

  • 4.0.0

Automatically generated by python-semantic-release (40fbfda)

v3.1.5 (2023-01-12)

Fix

  • fix: mak test's schema paths relative to cyclonedx package (#338)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (1f0c05f)

Unknown

  • 3.1.5

Automatically generated by python-semantic-release (ba603cf)

v3.1.4 (2023-01-11)

Fix

  • fix(tests): include tests in sdist builds (#337)

  • feat: include tests in sdist builds for #336

  • delete unexpected DS_Store file

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (936ad7d)

Unknown

  • 3.1.4

Automatically generated by python-semantic-release (0b19294)

v3.1.3 (2023-01-07)

Fix

  • fix: serialize dependency graph for nested components (#329)

  • tests: regression tests for issue #328

  • fix: for issue #328

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (fb3f835)

Unknown

  • 3.1.3

Automatically generated by python-semantic-release (11a420c)

v3.1.2 (2023-01-06)

Documentation

  • docs: typo

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (539b57a)

  • docs: fix shields (#324)

caused by badges/shields#8671

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (555dad4)

  • docs: fix typo (#318)

Signed-off-by: Roland Weber <rolweber@de.ibm.com> (63bfb87)

Fix

  • fix: prevent errors on metadata handling for some specification versions (#330)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (f08a656)

Unknown

  • 3.1.2

Automatically generated by python-semantic-release (0853d14)

  • clarify sign-off step (#319)

Signed-off-by: Roland Weber <rolweber@de.ibm.com> (007fb96)

v3.1.1 (2022-11-28)

Fix

  • fix: type hint for get_component_by_purl is incorrect

chore: force automated release Signed-off-by: Paul Horton <paul.horton@owasp.org> (3f20bf0)

Unknown

  • 3.1.1

Automatically generated by python-semantic-release (503955e)

  • Merge pull request #310 from gruebel/fix-method-type-hint

fix: type hint for get_component_by_purl is incorrect (06037b9)

  • move tests to model bom file

Signed-off-by: gruebel <anton.gruebel@gmail.com> (4c8a3ab)

  • fix type hint for get_component_by_purl

Signed-off-by: gruebel <anton.gruebel@gmail.com> (735c05e)

v3.1.0 (2022-09-15)

Feature

  • feat: out-factor SPDX compund detection

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (fd4d537)

  • feat: out-factor SPDX compund detection

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (2b69925)

  • feat: license factories

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (033bad2)

Unknown

  • 3.1.0

Automatically generated by python-semantic-release (e52c174)

  • Merge pull request #305 from CycloneDX/license-factories

feat: add license factories to more easily support creation of License or LicenseChoice from SPDX license strings #304 (5ff4494)

  • Merge pull request #301 from CycloneDX/fix-poetry-in-tox

chore: fix poetry in tox (92aea8d)

  • remove v3 from CHANGELOG #286 (#287)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (7029721)

  • 3.0.0

Automatically generated by python-semantic-release (69582ff)

v2.7.1 (2022-08-01)

Fix

  • fix: pinned mypy &lt;= 0.961 due to #278

Signed-off-by: Paul Horton <paul.horton@owasp.org> (d6955cb)

  • fix: properly support nested components and services #275

Signed-off-by: Paul Horton <paul.horton@owasp.org> (6597db7)

Unknown

  • Merge pull request #276 from CycloneDX/fix/bom-validation-nested-components-isue-275

fix: BOM validation fails when Components or Services are nested #275

fix: updated dependencies #271, #270, #269 and #256 (68a0cdd)

  • Merge branch 'main' into fix/bom-validation-nested-components-isue-275 (6caee65)

  • added tests to cover new Component.get_all_nested_components() method

Signed-off-by: Paul Horton <paul.horton@owasp.org> (75a77ed)

  • Revert "chore: re-added isort to pre-commit hooks"

This reverts commit f50ee1eb79f3f4e5b9d21824e64192d0af43d3f0.

Signed-off-by: Paul Horton <paul.horton@owasp.org> (5f7f30e)

  • removed tests where services are part of dependency tree - see #277

Signed-off-by: Paul Horton <paul.horton@owasp.org> (f26862b)

  • aded XML output tests for Issue #275

Signed-off-by: Paul Horton <paul.horton@owasp.org> (ebef5f2)

  • updated XML output tests

Signed-off-by: Paul Horton <paul.horton@owasp.org> (356c37e)

  • addressed JSON output for #275 including test addiitions

Signed-off-by: Paul Horton <paul.horton@owasp.org> (692c005)

v2.7.0 (2022-07-21)

Feature

  • feat: support for CycloneDX schema 1.4.2 - adds vulnerability.properties to the schema (32e7929)

  • feat: support for CycloneDX schema version 1.4.2

  • Provides support for vulnerability.properties

Signed-off-by: Paul Horton <paul.horton@owasp.org> (db7445c)

  • feat: added updated CycloneDX 1.4.2 schemas

Signed-off-by: Paul Horton <paul.horton@owasp.org> (7fb27ae)

Unknown

  • 2.7.0

Automatically generated by python-semantic-release (96d155e)

v2.6.0 (2022-06-20)

Feature

  • feat: reduce unnessessarry type casting of set/SortedSet (#203)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (089d971)

Unknown

  • 2.6.0

Automatically generated by python-semantic-release (8481e9b)

v2.5.2 (2022-06-15)

Fix

  • fix: add expected lower-than comparators for OrganizationalEntity and VulnerabilityCredits (#248)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (0046ee1)

Unknown

  • 2.5.2

Automatically generated by python-semantic-release (fb9a796)

v2.5.1 (2022-06-10)

Fix

  • fix: add missing Vulnerability comparator for sorting (#246)

Partial fix for #245.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (c3f3d0d)

Unknown

  • 2.5.1

Automatically generated by python-semantic-release (1ea5b20)

v2.5.0 (2022-06-10)

Build

  • build: move typing to dev-dependencies

Move types-setuptools and types-toml to dev-dependencies (#226)

Signed-off-by: Adam Johnson <me@adamj.eu> (0e2376b)

Documentation

  • docs: fix typo "This is out" -> "This is our"

Fix typo in comments: "This is out" -> "This is our" (#233)

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (ef0278a)

Feature

  • feat: use SortedSet in model to improve reproducibility - this will provide predictable ordering of various items in generated CycloneDX documents - thanks to @RodneyRichardson

Signed-off-by: Paul Horton <paul.horton@owasp.org> (8a1c404)

Unknown

  • 2.5.0

Automatically generated by python-semantic-release (c820423)

  • Merge pull request #235 from RodneyRichardson/use-sorted-set

feat: use SortedSet in model to improve reproducibility - this will provide predictable ordering of various items in generated CycloneDX documents - thanks to @RodneyRichardson (c43f6d8)

  • Merge branch 'CycloneDX:main' into use-sorted-set (1b8ac25)

  • Fix SortedSet type hints for python < 3.8

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (71eeb4a)

  • Fix line length warning.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (e9ee712)

  • Fix more type hints for python < 3.8

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (f042bce)

  • Fix SortedSet type hints for python < 3.8

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (2e283ab)

  • Fix type hint on ComparableTuple

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (43ef908)

  • Sort usings.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (8f86c12)

  • Fix sonatype-lift warnings

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (f1e92e3)

  • Fix warnings.

Change tuple -> Tuple Fix Diff initialization Add sorting to AttachedText

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (2b47ff6)

  • Reduce sortedcontainers.pyi to only the functions used.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (ef0fbe2)

  • Remove flake8 warnings

Remove unused imports and trailing whitespace. Sort usings in pyi file.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (41d1bee)

  • Add type hints for SortedSet

Fix use of set/Set.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (df0f554)

  • Replace object type hint in lt with Any

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (ec22f68)

  • Make reorder() return type explicit List (as flagged by sonatype-lift bot)

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (695ee86)

  • Use SortedSet in model to improve reproducibility

Added __lt__() to all model classes used in SortedSet, with tests Explicitly declared Enums as (str, Enum) to allow sorting Added dependency to sortedcollections package

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (368f522)

v2.4.0 (2022-05-17)

Feature

  • feat(deps): remove unused typing-extensions constraints

PullRequest and details via #224

Signed-off-by: gruebel <anton.gruebel@gmail.com> (2ce358a)

Unknown

  • 2.4.0

Automatically generated by python-semantic-release (4874354)

  • revert types-toml on lowest setup (32ece98)

v2.3.0 (2022-04-20)

Feature

  • feat: add support for Dependency Graph in Model and output serialisation

Signed-off-by: Paul Horton <paul.horton@owasp.org> (ea34513)

Unknown

  • 2.3.0

Automatically generated by python-semantic-release (5c1047a)

  • Merge pull request #210 from CycloneDX/feat/support-bom-dependencies

feat: add support for Dependency Graph in Model and output serialisation (JSON and XML) (938169c)

  • Merge pull request #214 from CycloneDX/feat/support-bom-dependencies-no-cast

no cast (2551545)

  • no cast

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (dec3b70)

  • update to use Set operators (more Pythonic)

Signed-off-by: Paul Horton <paul.horton@owasp.org> (f01665e)

  • missing closing &gt; in BomRef.__repr__

Signed-off-by: Paul Horton <paul.horton@owasp.org> (2c7c4be)

  • removed unnecessary condition - self.get_bom().components is always a Set

Signed-off-by: Paul Horton <paul.horton@owasp.org> (5eb5669)

  • added additional tests to validate Component in Metadata is properly represented in Dependency Graph

Signed-off-by: Paul Horton <paul.horton@owasp.org> (b8d526e)

  • adjusted unit tests to account for inclusion of Component in Bom Metadata in Dependency Graphy

Signed-off-by: Paul Horton <paul.horton@owasp.org> (c605f2b)

  • updates based on feedback from @jkowalleck

Signed-off-by: Paul Horton <paul.horton@owasp.org> (04511f3)

  • Merge branch 'feat/support-bom-dependencies' of github.com:CycloneDX/cyclonedx-python-lib into feat/support-bom-dependencies (8fb408c)

  • doc: updated docs to reflect support for Dependency Graph

Signed-off-by: Paul Horton <paul.horton@owasp.org> (a680544)

  • updated file hash in test

Signed-off-by: Paul Horton <paul.horton@owasp.org> (56f3d5d)

  • removed unused import

Signed-off-by: Paul Horton <paul.horton@owasp.org> (61c3338)

  • doc: updated docs to reflect support for Dependency Graph

Signed-off-by: Paul Horton <paul.horton@owasp.org> (3df017f)

  • updated file hash in test

Signed-off-by: Paul Horton <paul.horton@owasp.org> (449cb1e)

  • removed unused import

Signed-off-by: Paul Horton <paul.horton@owasp.org> (f487c4a)

v2.2.0 (2022-04-12)

Feature

Signed-off-by: Paul Horton <phorton@sonatype.com> (bd2e756)

  • feat: bump JSON schemas to latest fix verison for 1.2 and 1.3 - see:

Signed-off-by: Paul Horton <phorton@sonatype.com> (bd6a088)

Unknown

  • 2.2.0

Automatically generated by python-semantic-release (67ecfac)

  • Merge pull request #207 from CycloneDX/feat/update-schemas

feat: Update CycloneDX Schemas to latest patch versions (2c55cb5)

  • mark schema files as vendored

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a9c3e77)

  • Merge pull request #191 from CycloneDX/feat/pre-commit-hooks

[DEV] Add pre-commit hooks (91ceeb1)

v2.1.1 (2022-04-05)

Fix

  • fix: prevent error if version not set

Signed-off-by: Paul Horton <phorton@sonatype.com> (b9a84b5)

Unknown

  • 2.1.1

Automatically generated by python-semantic-release (f78d608)

  • Merge pull request #194 from CycloneDX/fix/json-output-version-optional-bug-193

fix: version being optional in JSON output can raise error (6f7e09a)

v2.1.0 (2022-03-28)

Feature

  • feat: output errors are verbose

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (bfe8fb1)

Fix

  • fix: version being optional in JSON output can raise error

Signed-off-by: Paul Horton <phorton@sonatype.com> (ba0c82f)

Unknown

  • 2.1.0

Automatically generated by python-semantic-release (c58f8f8)

  • Merge pull request #198 from CycloneDX/verbose_outout_errors

fix: improved output errors - file/directory is now included (4618c62)

  • updated to be more pythonic

Signed-off-by: Paul Horton <phorton@sonatype.com> (a1bbf00)

  • doc: added CONTRIBUTING to public docs doc: included pre-commit hooks in CONTRIBUTING

Signed-off-by: Paul Horton <phorton@sonatype.com> (f38215f)

  • Merge pull request #182 from CycloneDX/sort-imports

style: sort imports (aa37e56)

v2.0.0 (2022-02-21)

Breaking

  • feat: bump dependencies

BREAKING CHANGE: Adopt PEP-3102

BREAKING CHANGE: Optional Lists are now non-optional Sets

BREAKING CHANGE: Remove concept of DEFAULT schema version - replaced with LATEST schema version

BREAKING CHANGE: Added BomRef data type

Signed-off-by: Paul Horton <phorton@sonatype.com> (da3f0ca)

Feature

  • feat: completed work on #155 (#172)

fix: resolved #169 (part of #155) feat: as part of solving #155, #147 has been implemented

Signed-off-by: Paul Horton <phorton@sonatype.com> (a926b34)

  • feat: support complete model for bom.metadata (#162)

  • feat: support complete model for bom.metadata fix: JSON comparison in unit tests was broken chore: corrected some source license headers

Signed-off-by: Paul Horton <phorton@sonatype.com> (2938a6c)

  • feat: support for bom.externalReferences in JSON and XML #124

Signed-off-by: Paul Horton <phorton@sonatype.com> (1b733d7)

  • feat: Complete support for bom.components (#155)

  • fix: implemented correct __hash__ methods in models (#153)

Signed-off-by: Paul Horton <phorton@sonatype.com> (32c0139)

  • feat: support services in XML BOMs feat: support nested services in JSON and XML BOMs

Signed-off-by: Paul Horton <phorton@sonatype.com> (9edf6c9)

Fix

  • fix: license_url not serialised in XML output #179 (#180)

Signed-off-by: Paul Horton <phorton@sonatype.com> (f014d7c)

  • fix: Component.bom_ref is not Optional in our model implementation (in the schema it is) - we generate a UUID if bom_ref is not supplied explicitly

Signed-off-by: Paul Horton <phorton@sonatype.com> (5c954d1)

  • fix: temporary fix for __hash__ of Component with properties #153

Signed-off-by: Paul Horton <phorton@sonatype.com> (a51766d)

  • fix: further fix for #150

Signed-off-by: Paul Horton <phorton@sonatype.com> (1f55f3e)

  • fix: regression introduced by first fix for #150

Signed-off-by: Paul Horton <phorton@sonatype.com> (c09e396)

  • fix: Components with no version (optional since 1.4) produce invalid BOM output in XML #150

Signed-off-by: Paul Horton <phorton@sonatype.com> (70d25c8)

  • fix: expression not supported in Component Licsnes for version 1.0

Signed-off-by: Paul Horton <phorton@sonatype.com> (15b081b)

Unknown

  • 2.0.0

Automatically generated by python-semantic-release (a4af3dc)

  • Merge pull request #148 from CycloneDX/feat/add-bom-services (631e400)

  • Merge branch 'main' into feat/add-bom-services (9a32351)

  • doc: added RTD badge to README

Signed-off-by: Paul Horton <phorton@sonatype.com> (b20d9d1)

  • implemented __str__ for BomRef

Signed-off-by: Paul Horton <phorton@sonatype.com> (670bde4)

  • Continuation of #170 - missed updating Vulnerability to use BomRef (#175)

  • BREAKING CHANGE: added new model BomRef unlocking logic later to ensure uniquness and dependency references

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • updated Vulnerability to also use new BomRef model

Signed-off-by: Paul Horton <phorton@sonatype.com> (0d82c01)

  • BREAKING CHANGE: added new model BomRef unlocking logic later to ensure uniquness and dependency references (#174)

Signed-off-by: Paul Horton <phorton@sonatype.com> (d189f2c)

  • BREAKING CHANGE: replaced concept of default schema version with latest supported #171 (#173)

Signed-off-by: Paul Horton <phorton@sonatype.com> (020fcf0)

  • BREAKING CHANGE: Updated default schema version to 1.4 from 1.3 (#164)

Signed-off-by: Paul Horton <phorton@sonatype.com> (9b6ce4b)

  • BREAKING CHANGE: update models to use Set rather than List (#160)

  • BREAKING CHANGE: update models to use Set and Iterable rather than List[..] BREAKING CHANGE: update final models to use @property wip

Signed-off-by: Paul Horton <phorton@sonatype.com> (142b8bf)

  • removed unnecessary calls to hash() in __hash__() methods as pointed out by @jkowalleck

Signed-off-by: Paul Horton <phorton@sonatype.com> (0f1fd6d)

  • BREAKING CHANGE: adopted PEP-3102 for model classes (#158)

Signed-off-by: Paul Horton <phorton@sonatype.com> (b3c8d9a)

  • doc: added page to docs to call out which parts of the specification this library supports

Signed-off-by: Paul Horton <phorton@sonatype.com> (41a4be0)

  • attempt to resolve Lift finding

Signed-off-by: Paul Horton <phorton@sonatype.com> (2090c08)

  • removed unused imports

Signed-off-by: Paul Horton <phorton@sonatype.com> (a35d540)

  • WIP on bom.services

  • WIP but a lil hand up for @madpah

Signed-off-by: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com>

  • chore: added missing license header

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • No default values for required fields

  • Add Services to BOM

  • Typo fix

  • aligned classes with standards, commented out Signature work for now, added first tests for Services

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • addressed standards

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • 1.2.0

Automatically generated by python-semantic-release

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • feat: bom-ref for Component and Vulnerability default to a UUID (#142)

  • feat: bom-ref for Component and Vulnerability default to a UUID if not supplied ensuring they have a unique value #141

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • doc: updated documentation to reflect change

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • patched other tests to support UUID for bom-ref

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • better syntax

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • 1.3.0

Automatically generated by python-semantic-release

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • WIP but a lil hand up for @madpah

Signed-off-by: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com> Signed-off-by: Paul Horton <phorton@sonatype.com>

  • chore: added missing license header

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • aligned classes with standards, commented out Signature work for now, added first tests for Services

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • removed signature from this branch

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • Add Services to BOM

  • Typo fix

  • addressed standards

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • resolved typing issues from merge

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • added a bunch more tests for JSON output

Signed-off-by: Paul Horton <phorton@sonatype.com>

Co-authored-by: Paul Horton <phorton@sonatype.com> Co-authored-by: github-actions <action@github.com> (b45ff18)

v1.3.0 (2022-01-24)

Feature

  • feat: bom-ref for Component and Vulnerability default to a UUID (#142)

  • feat: bom-ref for Component and Vulnerability default to a UUID if not supplied ensuring they have a unique value #141

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • doc: updated documentation to reflect change

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • patched other tests to support UUID for bom-ref

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • better syntax

Signed-off-by: Paul Horton <phorton@sonatype.com> (3953bb6)

Unknown

  • 1.3.0

Automatically generated by python-semantic-release (4178181)

v1.2.0 (2022-01-24)

Feature

  • feat: add CPE to component (#138)

  • Added CPE to component

Setting CPE was missing for component, now it is possible to set CPE and output CPE for a component.

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

  • Fixing problems with CPE addition
  • Fixed styling errors
  • Added reference to CPE Spec
  • Adding CPE parameter as last parameter to not break arguments

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

  • Again fixes for Style and CPE reference

Missing in the last commit

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

  • Added CPE as argument before deprecated arguments

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

  • Added testing for CPE addition and error fixing
  • Added output tests for CPE in XML and JSON
  • Fixes style error in components
  • Fixes order for CPE output in XML (CPE has to come before PURL)

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

  • Fixed output tests

CPE was still in the wrong position in one of the tests - fixed

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

  • Fixed minor test fixtures issues
  • cpe was still in wrong position in 1.2 JSON
  • Indentation fixed in 1.4 JSON

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

  • Fixed missing comma in JSON 1.2 test file

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com> (269ee15)

Unknown

  • 1.2.0

Automatically generated by python-semantic-release (97c215c)

v1.1.1 (2022-01-19)

Fix

  • fix: bump dependencies (#136)

Signed-off-by: Paul Horton <phorton@sonatype.com> (18ec498)

Unknown

  • 1.1.1

Automatically generated by python-semantic-release (dec63de)

v1.1.0 (2022-01-13)

Feature

  • feat: add support for bom.metadata.component (#118)

  • Add support for metadata component

Part of #6

Signed-off-by: Artem Smotrakov <asmotrakov@riotgames.com>

  • Better docs and simpler ifs

Signed-off-by: Artem Smotrakov <asmotrakov@riotgames.com> (1ac31f4)

Unknown

  • 1.1.0

Automatically generated by python-semantic-release (d4007bd)

v1.0.0 (2022-01-13)

Unknown

  • Manually generated release (3509fb6)

  • Support for CycloneDX schema version 1.4 (#108)

BREAKING CHANGE: Support for CycloneDX 1.4. This includes:

  • Support for tools having externalReferences
  • Allowing version for a Component to be optional in 1.4
  • Support for releaseNotes per Component
  • Support for the core schema implementation of Vulnerabilities (VEX)

Other changes included in this PR:

  • Unit tests now include schema validation (we've left schema validation out of the core library due to dependency bloat)
  • Fixes to ensure schema is adhered to in 1.0
  • URI's are now used throughout the library through a new XsUri class to provide URI validation
  • Documentation is now hosted on readthedocs.org (https://cyclonedx-python-library.readthedocs.io/)
  • $schema is now included in JSON BOMs
  • Concrete Parsers how now been moved into downstream projects to keep this libraries focus on modelling and outputting CycloneDX - see https://github.com/CycloneDX/cyclonedx-python
  • Added reference to release of this library on Anaconda

Signed-off-by: Paul Horton <phorton@sonatype.com>

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Co-authored-by: Paul Horton <phorton@sonatype.com>

Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (7fb6da9)

  • Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib (d26970b)

  • Update CONTRIBUTING.md (4448d9b)

v0.12.3 (2021-12-15)

Fix

  • fix: removed requirements-parser as dependency (temp) as not available for Python 3 as Wheel (#98)

Signed-off-by: Paul Horton <phorton@sonatype.com> (3677d9f)

Unknown

  • 0.12.3

Automatically generated by python-semantic-release (cfc9d38)

v0.12.2 (2021-12-09)

Fix

  • fix: tightened dependency packageurl-python (#95)

fixes #94

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (eb4ae5c)

Unknown

  • 0.12.2

Automatically generated by python-semantic-release (54b9f74)

v0.12.1 (2021-12-09)

Fix

  • fix: further loosened dependency definitions

see #44

updated some locked dependencies to latest versions

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (8bef6ec)

Unknown

  • 0.12.1

Automatically generated by python-semantic-release (43fc36e)

v0.12.0 (2021-12-09)

Feature

  • feat: loosed dependency versions to make this library more consumable

  • feat: lowering minimum dependency versions

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • feat: lowering minimum dependency versions

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • feat: lowering minimum dependency versions - importlib-metadata raising minimum to ensure we get a typed library

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • feat: lowering minimum dependency versions - importlib-metadata raising minimum to ensure we get a typed library

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • feat: lowering minimum version for importlib-metadata to 3.4.0 with modified import statement

Signed-off-by: Paul Horton <phorton@sonatype.com> (55f10fb)

Unknown

  • 0.12.0

Automatically generated by python-semantic-release (1a907ea)

  • Merge pull request #88 from CycloneDX/contributing-file

initial CONTRIBUTING file (20035bb)

  • initial CONTRIBUTING file

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (6ffe14d)

  • CHORE: poetry(deps): bump filelock from 3.3.2 to 3.4.0

poetry(deps): bump filelock from 3.3.2 to 3.4.0 (e144aa2)

  • CHORE: poetry(deps): bump types-setuptools from 57.4.2 to 57.4.4

poetry(deps): bump types-setuptools from 57.4.2 to 57.4.4 (5fcdcb7)

  • poetry(deps): bump filelock from 3.3.2 to 3.4.0

Bumps filelock from 3.3.2 to 3.4.0.


updated-dependencies:

  • dependency-name: filelock dependency-type: indirect update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (8d4520e)

  • CHORE: poetry(deps-dev): bump flake8-bugbear from 21.9.2 to 21.11.29

poetry(deps-dev): bump flake8-bugbear from 21.9.2 to 21.11.29 (fc6e3ac)

  • poetry(deps): bump types-setuptools from 57.4.2 to 57.4.4

Bumps types-setuptools from 57.4.2 to 57.4.4.


updated-dependencies:

  • dependency-name: types-setuptools dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (00dcbb8)

  • CHORE: poetry(deps): bump importlib-metadata from 4.8.1 to 4.8.2

poetry(deps): bump importlib-metadata from 4.8.1 to 4.8.2 (28f9676)

  • poetry(deps-dev): bump flake8-bugbear from 21.9.2 to 21.11.29

Bumps flake8-bugbear from 21.9.2 to 21.11.29.


updated-dependencies:

  • dependency-name: flake8-bugbear dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (1eec2e8)

  • CHORE: poetry(deps-dev): bump coverage from 6.1.2 to 6.2

poetry(deps-dev): bump coverage from 6.1.2 to 6.2 (bdd9365)

  • CHORE: poetry(deps): bump mako from 1.1.5 to 1.1.6

poetry(deps): bump mako from 1.1.5 to 1.1.6 (33d3ecc)

  • poetry(deps-dev): bump coverage from 6.1.2 to 6.2

Bumps coverage from 6.1.2 to 6.2.


updated-dependencies:

  • dependency-name: coverage dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (be1af9b)

  • DOCS: fix README shields & links (43b1121)

  • doc: readme maintenance - shields & links (#72)

  • README: restructure links

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • README: add lan to fenced code blocks

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • README: fix some formatting

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • README: modernized shields

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • README: harmonize links

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • README: add language to code fences

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • README: markdown fixes

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • README: removed py version shield

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3d0ea2f)

  • poetry(deps): bump mako from 1.1.5 to 1.1.6

Bumps mako from 1.1.5 to 1.1.6.


updated-dependencies:

  • dependency-name: mako dependency-type: indirect update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (3344b86)

  • Merge pull request #47 from CycloneDX/dependabot/pip/filelock-3.3.2

poetry(deps): bump filelock from 3.3.1 to 3.3.2 (3f967b3)

  • FIX: update Conda package parsing to handle build containing underscore (#66)

  • fix: update conda package parsing to handle build containing underscore

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • updated some typings

Signed-off-by: Paul Horton <phorton@sonatype.com> (2c6020a)

  • poetry(deps): bump importlib-metadata from 4.8.1 to 4.8.2

Bumps importlib-metadata from 4.8.1 to 4.8.2.


updated-dependencies:

  • dependency-name: importlib-metadata dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (003f6b4)

  • poetry(deps): bump filelock from 3.3.1 to 3.3.2

Bumps filelock from 3.3.1 to 3.3.2.


updated-dependencies:

  • dependency-name: filelock dependency-type: indirect update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (55022b7)

  • Merge pull request #45 from CycloneDX/dependabot/pip/importlib-resources-5.4.0

poetry(deps): bump importlib-resources from 5.3.0 to 5.4.0 (b8acf9f)

  • Merge pull request #70 from CycloneDX/dependabot/pip/pyparsing-3.0.6

poetry(deps): bump pyparsing from 3.0.5 to 3.0.6 (faa8628)

  • Merge pull request #69 from CycloneDX/dependabot/pip/coverage-6.1.2

poetry(deps-dev): bump coverage from 6.1.1 to 6.1.2 (eba56dc)

  • poetry(deps): bump pyparsing from 3.0.5 to 3.0.6

Bumps pyparsing from 3.0.5 to 3.0.6.


updated-dependencies:

  • dependency-name: pyparsing dependency-type: indirect update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (4f2b2d8)

  • poetry(deps-dev): bump coverage from 6.1.1 to 6.1.2

Bumps coverage from 6.1.1 to 6.1.2.


updated-dependencies:

  • dependency-name: coverage dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (1d0f5ea)

v0.11.1 (2021-11-10)

Fix

  • fix: constructor for Vulnerability to correctly define ratings as optional

Signed-off-by: William Woodruff <william@trailofbits.com> (395a0ec)

Unknown

  • 0.11.1

Automatically generated by python-semantic-release (a80f87a)

  • FEAT: Support Python 3.10 (#64)

  • fix: tested with Python 3.10

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • added trove classifier for Python 3.10

Signed-off-by: Paul Horton <phorton@sonatype.com>

Signed-off-by: Paul Horton <phorton@sonatype.com> (385b835)

  • poetry(deps): bump importlib-resources from 5.3.0 to 5.4.0

Bumps importlib-resources from 5.3.0 to 5.4.0.


updated-dependencies:

  • dependency-name: importlib-resources dependency-type: indirect update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (a1dd775)

v0.11.0 (2021-11-10)

Feature

  • feat: Typing & PEP 561

  • adde file for type checkers according to PEP 561

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • added static code analysis as a dev-test

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • added the "typed" trove

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • added flake8-annotations to the tests

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • added type hints

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • further typing updates

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • further typing additions and test updates

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • further typing

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • further typing - added type stubs for toml and setuptools

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • further typing

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • typing work

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • coding standards

Signed-off-by: Paul Horton <phorton@sonatype.com>

  • fixed tox and mypy running in correct python version

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • supressed mypy for cyclonedx.utils.conda.parse_conda_json_to_conda_package

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • fixed type hints

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • fixed some typing related flaws

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

  • added flake8-bugbear for code analysis

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Co-authored-by: Paul Horton <phorton@sonatype.com> (9144765)

Unknown

  • 0.11.0

Automatically generated by python-semantic-release (7262783)

  • Merge pull request #41 from jkowalleck/improv-abstract

fixed some abstract definitions (f34e2c2)

  • Merge pull request #42 from jkowalleck/improv-pipenv

slacked pipenv parser (08bc4ab)

  • Merge pull request #43 from jkowalleck/improv-conda-typehints

fixed typehints/docs in _BaseCondaParser (931016d)

  • Merge pull request #54 from jkowalleck/create-CODEOWNERS

created CODEOWNERS (7f28bef)

  • Merge pull request #56 from CycloneDX/dependabot/pip/py-1.11.0

poetry(deps): bump py from 1.10.0 to 1.11.0 (f1cda3c)

  • Merge pull request #58 from CycloneDX/dependabot/pip/pyparsing-3.0.5

poetry(deps): bump pyparsing from 2.4.7 to 3.0.5 (0525439)

  • Merge pull request #19 from CycloneDX/dependabot/pip/zipp-3.6.0

poetry(deps): bump zipp from 3.5.0 to 3.6.0 (c54c968)

  • poetry(deps): bump py from 1.10.0 to 1.11.0

Bumps py from 1.10.0 to 1.11.0.


updated-dependencies:

  • dependency-name: py dependency-type: indirect update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (330711f)

  • Merge pull request #57 from CycloneDX/dependabot/pip/coverage-6.1.1

poetry(deps-dev): bump coverage from 5.5 to 6.1.1 (fa55e5c)

  • poetry(deps): bump pyparsing from 2.4.7 to 3.0.5

Bumps pyparsing from 2.4.7 to 3.0.5.


updated-dependencies:

  • dependency-name: pyparsing dependency-type: indirect update-type: version-update:semver-major ...

Signed-off-by: dependabot[bot] <support@github.com> (3bedaff)

  • Merge pull request #55 from CycloneDX/dependabot/pip/virtualenv-20.10.0

poetry(deps): bump virtualenv from 20.8.1 to 20.10.0 (4c3df85)

  • CI/CT runs on main & master branch (2d0df7b)

  • poetry(deps-dev): bump coverage from 5.5 to 6.1.1

Bumps coverage from 5.5 to 6.1.1.


updated-dependencies:

  • dependency-name: coverage dependency-type: direct:development update-type: version-update:semver-major ...

Signed-off-by: dependabot[bot] <support@github.com> (e322d74)

  • poetry(deps): bump virtualenv from 20.8.1 to 20.10.0

Bumps virtualenv from 20.8.1 to 20.10.0.


updated-dependencies:

  • dependency-name: virtualenv dependency-type: indirect update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (3927cdc)

  • created CODEOWNERS

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e8e499c)

  • fixed typehints/docs in _BaseCondaParser

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (af6ddfd)

  • slacked pipenv parser

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a3572ba)

  • fixed some abstract definitions

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (9e67998)

v0.10.2 (2021-10-21)

Fix

  • fix: correct way to write utf-8 encoded files

Signed-off-by: Paul Horton <phorton@sonatype.com> (49f9369)

Unknown

  • 0.10.2

Automatically generated by python-semantic-release (79538e9)

v0.10.1 (2021-10-21)

Fix

  • fix: ensure output to file is UTF-8

Signed-off-by: Paul Horton <phorton@sonatype.com> (a10da20)

  • fix: ensure output to file is UTF-8

Signed-off-by: Paul Horton <phorton@sonatype.com> (193bf64)

Unknown

  • 0.10.1

Automatically generated by python-semantic-release (e6451a3)

  • Merge pull request #40 from CycloneDX/fix/issue-39-windows-UnicodeEncodeError

FIX: Resolve file encoding issues on Windows (48329e0)

  • remove memoryview from sha1 file hashing

Signed-off-by: Paul Horton <phorton@sonatype.com> (a56be0f)

  • added debug to CI to aid understanding of miss matching SHA1 hashes on Windows

Signed-off-by: Paul Horton <phorton@sonatype.com> (10c6b51)

v0.10.0 (2021-10-20)

Feature

  • feat: add support for Conda

Signed-off-by: Paul Horton <phorton@sonatype.com> (bd29c78)

Unknown

  • 0.10.0

Automatically generated by python-semantic-release (eea3598)

  • Merge pull request #38 from CycloneDX/feat/conda-support

feat: add support for Conda (ee5d36d)

  • add support pre Python 3.8

Signed-off-by: Paul Horton <phorton@sonatype.com> (2d01116)

  • doc: updated documentation with Conda support (and missed updates for externalReferences)

Signed-off-by: Paul Horton <phorton@sonatype.com> (57e9dc7)

v0.9.1 (2021-10-19)

Fix

  • fix: missing check for Classifiers in Environment Parser

Signed-off-by: Paul Horton <phorton@sonatype.com> (b7fa38e)

Unknown

  • 0.9.1

Automatically generated by python-semantic-release (f132c92)

  • Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib (51a1e50)

v0.9.0 (2021-10-19)

Feature

  • feat: add support for parsing package licenses when using the Environment Parsers

Signed-off-by: Paul Horton <phorton@sonatype.com> (c414eaf)

Unknown

  • 0.9.0

Automatically generated by python-semantic-release (ad65564)

  • Merge pull request #36 from CycloneDX/feat/add-license-support

Add support for parsing package licenses from installed packages (d45f75b)

v0.8.3 (2021-10-14)

Fix

  • fix: coding standards violations

Signed-off-by: Paul Horton <phorton@sonatype.com> (00cd1ca)

  • fix: handle Pipfile.lock dependencies without an index specified fix: multiple fixes in variable scoping to prevent accidental data sharing

Signed-off-by: Paul Horton <phorton@sonatype.com> (26c62fb)

Unknown

  • 0.8.3

Automatically generated by python-semantic-release (91f9a8b)

  • Merge pull request #34 from CycloneDX/fix/issue-33-pipfile-lock-parse-failure

BUG: Fixe for Pipfile.lock parsing + accidental data sharing issues identified during testing (4079323)

v0.8.2 (2021-10-14)

Fix

  • fix: add namespace and subpath support to Component to complete PackageURL Spec support

Signed-off-by: Paul Horton <phorton@sonatype.com> (780adeb)

Unknown

  • 0.8.2

Automatically generated by python-semantic-release (298318f)

  • Merge pull request #32 from CycloneDX/feat/full-packageurl-support

Add namespace and subpath support to Component (bb3af91)

v0.8.1 (2021-10-12)

Fix

  • fix: multiple hashes being created for an externalRefernce which is not as required

Signed-off-by: Paul Horton <phorton@sonatype.com> (970d192)

Unknown

  • 0.8.1

Automatically generated by python-semantic-release (70689a2)

v0.8.0 (2021-10-12)

Feature

  • feat: add support for externalReferneces for Components and associated enhancements to parsers to obtain information where possible/known

Signed-off-by: Paul Horton <phorton@sonatype.com> (a152852)

Unknown

  • 0.8.0

Automatically generated by python-semantic-release (7a49f9d)

  • Merge pull request #29 from CycloneDX/feat/component-external-references

FEATURE: Add support for externalReferences against Components (bdee0ea)

  • doc: notable improvements to API documentation generation (added search, branding, a little styling)

Signed-off-by: Paul Horton <phorton@sonatype.com> (e7a5b5a)

v0.7.0 (2021-10-11)

Feature

  • feat: support for pipenv.lock file parsing

Signed-off-by: Paul Horton <phorton@sonatype.com> (68a2dff)

Unknown

  • 0.7.0

Automatically generated by python-semantic-release (827bd1c)

  • Merge pull request #27 from CycloneDX/feat/add-pipenv-support

FEATURE: Add Pipfile.lock (pipenv) support (2c42e2a)

  • doc: updated README.md to include Pipfile.lock parsing

Signed-off-by: Paul Horton <phorton@sonatype.com> (2c66834)

v0.6.2 (2021-10-11)

Fix

  • fix: added ability to add tools in addition to this library when generating CycloneDX + plus fixes relating to multiple BOM instances

Signed-off-by: Paul Horton <phorton@sonatype.com> (e03a25c)

Unknown

  • 0.6.2

Automatically generated by python-semantic-release (e68fbc2)

  • Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib (2bf2711)

v0.6.1 (2021-10-11)

Fix

  • fix: better methods for checking if a Component is already represented in the BOM, and the ability to get the existing instance

Signed-off-by: Paul Horton <phorton@sonatype.com> (5fee85f)

Unknown

  • 0.6.1

Automatically generated by python-semantic-release (c530460)

  • Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib (eb3a46b)

v0.6.0 (2021-10-11)

Feature

Signed-off-by: Paul Horton <phorton@sonatype.com> (7e0fb3c)

  • feat: support for non-PyPi Components - PackageURL type is now definable when creating a Component

Signed-off-by: Paul Horton <phorton@sonatype.com> (fde79e0)

Unknown

  • 0.6.0

Automatically generated by python-semantic-release (907cd2d)

  • Merge pull request #25 from CycloneDX/feat/additions-to-enable-integration-into-checkov

Support for representing File as Component (63a86b0)

v0.5.0 (2021-10-11)

Build

  • build: updated dependencies, moved pdoc3 to a dev dependency

Signed-off-by: Paul Horton <phorton@sonatype.com> (6a9947d)

Feature

  • feat: add support for tool(s) that generated the SBOM

Signed-off-by: Paul Horton <phorton@sonatype.com> (7d1e6ef)

Fix

  • fix: bumped a dependency version

Signed-off-by: Paul Horton <phorton@sonatype.com> (efc1053)

Unknown

  • 0.5.0

Automatically generated by python-semantic-release (a655d29)

  • Merge pull request #20 from CycloneDX/feat/additional-metadata

feat: add support for tool(s) that generated the SBOM (b33cbf4)

  • fix for Pytho< 3.8 support in tests

Signed-off-by: Paul Horton <phorton@sonatype.com> (c9b6019)

  • ensure support for Python < 3.8

Signed-off-by: Paul Horton <phorton@sonatype.com> (53a82cf)

  • ensure support for Python < 3.8

Signed-off-by: Paul Horton <phorton@sonatype.com> (2a9e56a)

  • doc: added documentation

Signed-off-by: Paul Horton <phorton@sonatype.com> (cf13c68)

  • poetry(deps): bump zipp from 3.5.0 to 3.6.0

Bumps zipp from 3.5.0 to 3.6.0.


updated-dependencies:

  • dependency-name: zipp dependency-type: indirect update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (30f2547)

  • doc: bumped gh-action for publishing docs

Signed-off-by: Paul Horton <phorton@sonatype.com> (ac70eee)

  • doc: added documentation to model/bom

Signed-off-by: Paul Horton <phorton@sonatype.com> (fe98ada)

  • doc: formatting

Signed-off-by: Paul Horton <phorton@sonatype.com> (1ad7fb1)

  • doc: added missing docstrings to allow documentation to generate

Signed-off-by: Paul Horton <phorton@sonatype.com> (ed743d9)

  • Merge pull request #10 from coderpatros/docs

Add initial doc generation and publishing (7873ad9)

v0.4.1 (2021-09-27)

Build

  • build: dependencies updated

Signed-off-by: Paul Horton <phorton@sonatype.com> (0411826)

Fix

  • fix: improved handling for requirements.txt content without pinned or declared versions

Signed-off-by: Paul Horton <phorton@sonatype.com> (7f318cb)

Unknown

  • 0.4.1

Automatically generated by python-semantic-release (d5b7a2f)

  • Merge pull request #15 from CycloneDX/fix/issue-14-requirements-unpinned-versions

fix: improved handling for requirements.txt content without pinned … (f248015)

  • Add initial doc generation and publishing

Signed-off-by: Patrick Dwyer <patrick.dwyer@owasp.org> (cd1b558)

v0.4.0 (2021-09-16)

Feature

  • feat: support for localising vectors (i.e. stripping out any scheme prefix)

Signed-off-by: Paul Horton <phorton@sonatype.com> (b9e9e17)

  • feat: helper methods for deriving Severity and SourceType

Signed-off-by: Paul Horton <phorton@sonatype.com> (6a86ec2)

Fix

  • fix: removed print call

Signed-off-by: Paul Horton <phorton@sonatype.com> (8806553)

  • fix: relaxed typing of parameter to be compatible with Python < 3.9

Signed-off-by: Paul Horton <phorton@sonatype.com> (f9c7990)

  • fix: removed print call

Signed-off-by: Paul Horton <phorton@sonatype.com> (d272d2e)

  • fix: remove unused commented out code

Signed-off-by: Paul Horton <phorton@sonatype.com> (ba4f285)

Unknown

  • 0.4.0

Automatically generated by python-semantic-release (f441413)

v0.3.0 (2021-09-15)

Feature

  • feat: adding support for extension schema that descriptions vulnerability disclosures

Signed-off-by: Paul Horton <phorton@sonatype.com> (d496695)

Unknown

  • 0.3.0

Automatically generated by python-semantic-release (a5c3dab)

  • Merge pull request #5 from CycloneDX/feat/support-schema-extension-vulnerability-1.0

FEATURE: add support for Vulnerability Disclosures (6914272)

  • doc: updated README to explain support for Vulnerability Disclosures

Signed-off-by: Paul Horton <phorton@sonatype.com> (f477bf0)

v0.2.0 (2021-09-14)

Feature

  • feat: added helper method to return a PackageURL object representing a Component

Signed-off-by: Paul Horton <phorton@sonatype.com> (367bef1)

Fix

  • fix: whitespace on empty line removed

Signed-off-by: Paul Horton <phorton@sonatype.com> (cfc952e)

Unknown

  • 0.2.0

Automatically generated by python-semantic-release (866eda7)

  • Merge pull request #4 from CycloneDX/feat/component-as-packageurl

fix: whitespace on empty line removed (ddc37f3)

  • Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib (6142d2e)

v0.1.0 (2021-09-13)

Feature

  • feat: add poetry support

Signed-off-by: Paul Horton <phorton@sonatype.com> (f3ac42f)

Unknown

  • 0.1.0

Automatically generated by python-semantic-release (0da668f)

  • Merge pull request #3 from CycloneDX/feat/poetry-lock-support

FEATURE: Adde poetry.lock parser support (37ba7c6)

  • feat(parser) - added support for parsing dependencies from poetry.lock files.

Signed-off-by: Paul Horton <phorton@sonatype.com> (15bc553)

  • fix(parser) parsers were able to share state unexpectedly

Signed-off-by: Paul Horton <phorton@sonatype.com> (dc59914)

v0.0.11 (2021-09-10)

Fix

  • fix(test): test was not updated for revised author statement

Signed-off-by: Paul Horton <phorton@sonatype.com> (d1c9d37)

  • fix(build): test failure and dependency missing

Fixed failing tests due to dependency on now removed VERSION file Added flake8 officially as a DEV dependency to poetry

Signed-off-by: Paul Horton <phorton@sonatype.com> (9a2cfe9)

  • fix(build): removed artefacts associtated with non-poetry build

Tidied up project to remove items associated with non-Poetry build process. Also aligned a few references in README to new home of this project under CycloneDX.

Signed-off-by: Paul Horton <phorton@sonatype.com> (f9119d4)

Unknown

  • 0.0.11

Automatically generated by python-semantic-release (1c0aa71)

  • Merge pull request #2 from CycloneDX/fix/tidy-up-build-remove-pip

fix(build): removed artefacts associated with non-poetry build (b7de7b3)

v0.0.10 (2021-09-08)

Fix

Unknown

  • 0.0.10

Automatically generated by python-semantic-release (245d809)

v0.0.9 (2021-09-08)

Fix

  • fix: additional info to poetry, remove circleci (2fcfa5a)

Unknown

  • 0.0.9

Automatically generated by python-semantic-release (e4a90cf)

  • Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib into main (69aaba5)

v0.0.8 (2021-09-08)

Fix

  • fix: initial release to pypi, tell poetry to include cyclonedx package (a030177)

Unknown

  • 0.0.8

Automatically generated by python-semantic-release (fc3f24c)

  • Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib into main (da2d18c)

v0.0.7 (2021-09-08)

Fix

  • fix: release with full name (4c620ed)

Unknown

  • 0.0.7

Automatically generated by python-semantic-release (19943e8)

v0.0.6 (2021-09-08)

Fix

  • fix: initial release to pypi (99687db)

Unknown

  • 0.0.6

Automatically generated by python-semantic-release (98ad249)

v0.0.5 (2021-09-08)

Unknown

  • 0.0.5

Automatically generated by python-semantic-release (9bf4b9a)

  • Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib into main (eeec0bb)

  • Try this on for size (aa93310)

v0.0.4 (2021-09-08)

Unknown

  • 0.0.4

Automatically generated by python-semantic-release (b16d6c5)

v0.0.3 (2021-09-08)

Unknown

  • 0.0.3

Automatically generated by python-semantic-release (05306ee)

  • Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib into main (f1d120c)

  • Bump up version of poetry (89db268)

v0.0.2 (2021-09-08)

Unknown

  • 0.0.2

Automatically generated by python-semantic-release (e15dec6)

  • Remove check for push (71b1270)

  • Manual deploy workflow (9b4ac33)

  • License headers, OWASP etc... (559b8d2)

  • Fixed unit tests pinned to a VERISON. (5d907d5)

  • Bump to version 0.0.2 (1050839)

  • Implemented writing SBOM to a file. (74f4153)

  • Updated badge in README to include Python 3.6+ support. (0a5903c)

  • Removed print() statement accidentally left in. (22965a7)

  • Merge pull request #1 from sonatype-nexus-community/features/initial-port-of-v1.1-generation-from-jake

Initial port of library code to new library (2f2634b)

  • Added license headers to all source files. Added classifiers for Python version to setup.py. (bb6bb24)

  • Renamed model file to not reference CycloneDX as the models are agnostic on purpose. (03d03ed)

  • Forgot to add updated poetry.lock file relfecting Python 3.6+ support (5d3d491)

  • Updated project to state support from Python v3.6+ (619ee1d)

  • Adding Python 3.6 support for test & CI. (daa12ba)

  • Fixing CircleCI config. (a446f4c)

  • Fixes to GitHub actions. (d2aa277)

  • Disabled Py3.6 checks and added flake8. (8c01da3)

  • Attempt to fix CI's for multiple Python environments. (affb6b2)

  • Added support for Python versions 3.7+ (ae24ba9)

  • Added missing ENV var for GH actions. (c750ec6)

  • Missed wrapping a coverage command with poetry. (3c74c82)

  • Added poetry virtualenv caching + wrapped tox and coverage with poetry to ensure they run in the poetry venv. (780e3df)

  • Fixed typo in Github action. (3953675)

  • Correction: Supported Python version in setup.py (2f4917b)

  • Updated poetry dependencies and configuration. (75041e5)

  • Initial draft GitHub actions being added. (e2403e8)

  • Added Poetry supprot. (e9a67f8)

  • Addressing issues reported by flake8. (3ad394c)

  • Refactored output classes to use multiple inheritance allowing a single place to define which schema version support various attributes and elements. (95c5b38)

  • Updated README to reflect support for author. (bff5954)

  • Skeleton support for 'author' + v1.1 and v1.0 for JSON added (along with tests). (e987f35)

  • Corrected typo in README (0d2c355)

  • Updated README to include a summary of the support this library provides across the different schema versions. (34f421f)

  • Initial support for V1.0 and V1.1 in XML output format. (37f6b00)

  • Added 'serialNumber' to SBOMs (JSON and XML). (50e3c75)

  • Added a bunch more content to the README to explain how the library can be used. (bb41dc6)

  • Added metadata initial support to JSON output format. (8c5590f)

  • Addition of simple 'metadata' element for XML SBOM's. (f9e9773)

  • Added initial JSON outputter and associated tests. (3e1f5ec)

  • Fix to generate HTML coverage reports and stash in CircleCI builds. (dd88603)

  • Added HTML coverage report. (ce700e5)

  • Missed coverage as a dependency for testing. (01643d6)

  • Added coverage reporting for tests (c34b1a6)

  • Added first tests for XML SBOM generation (v1.3 and v1.2). (cb4337a)

  • WIP: Starting to generate XML output for BOMs (35bdfca)

  • Updated CircleCI config to run tox. Fixed fomratting in tests. (9a56230)

  • Rebasing from main. (822ab8b)

  • Initial skeleton tests for output genereation. (a614f3e)

  • pretty badge (60e975c)

  • initial CI for discussion (7e88cd5)

  • Added a little more information to the README. (460c624)

  • Fixed issue reported by Flake8. Ensuring tests run on PY 3.9. (cce130f)

  • Basic structure without any output generation available (very basic Component definition). (6ac5dc2)

  • Added tox config with flake8 and py3.9 support. (1def201)

  • Initially added skeleton packaging structure and official CycloneDX schemas. (ac519c9)

  • Added inital blank README prior to branching for initial work. (b175f6a)

  • Added inital blank README prior to branching for initial work. (e8b5d48)

  • Initial commit (62353b0)