Skip to content

Latest commit

 

History

History
2271 lines (1312 loc) · 77.9 KB

CHANGELOG.md

File metadata and controls

2271 lines (1312 loc) · 77.9 KB

CHANGELOG

v10.0.0 (2025-04-23)

Features

Python 3.8 is end-of-life.

Signed-off-by: Simoh23999 [email protected]

Signed-off-by: Jan Kowalleck [email protected]

Co-authored-by: Jan Kowalleck [email protected]

v9.1.1-rc.1 (2025-03-03)

v9.1.0 (2025-02-27)

Bug Fixes

  • Improved comparison functionality of model.VulnerabilityAnalysis (#795, 7d57c73)

Signed-off-by: Jan Kowalleck [email protected]

Features

  • model.vulnerabilityanalysis properties for issued/updated datetime (#794, 4a3955a)

Signed-off-by: Indivar Mishra [email protected]

v9.0.2 (2025-02-26)

v9.0.0 (2025-02-26)

Features

BREAKING Changes

  • Fix: model.vulnerability.VulnerabilityReference's properties are all mandatory (#790 via #792) * Refactor: Rename spdx.is_compund_expression -> spdx.is_expression (#779) * Behavior: BomRef affects comparison/hashing (#754 & #780) This is only a breaking change if you relied on ordering of elements. * Behavior: streamline comparison/hashing functions (#755) This is only a breaking change if you relied on ordering of elements. * Dependency: bump dependency py-serializable >=2 <3, was >=1.1.1 <2 (#775) This is only a breaking change if you have other packages depend on that specific version.

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: wkoot [email protected]

Signed-off-by: semantic-release [email protected]

Co-authored-by: wkoot [email protected]

Co-authored-by: semantic-release [email protected]

v8.9.0 (2025-02-25)

Documentation

  • Extended instructions for "contributing" (#783, e2a4ed3)

supersedes https://github.com/CycloneDX/cyclonedx-python-lib/pull/773/files#r1954324461

Signed-off-by: Jan Kowalleck [email protected]

Features

  • Avoid raising NoPropertiesProvidedException for optional parameters (#786, 845b8d5)

the following classes' init no longer raise NoPropertiesProvidedException: * cyclonedx.model.IdentifiableAction * cyclonedx.model.component.Commit * cyclonedx.model.component.ComponentEvidence * cyclonedx.model.component.Diff * cyclonedx.model.component.Pedigree * cyclonedx.model.issue.IssueTypeSource * cyclonedx.model.vulnerability.VulnerabilityAnalysis * cyclonedx.model.vulnerability.VulnerabilityCredits * cyclonedx.model.vulnerability.VulnerabilityRating * cyclonedx.model.vulnerability.VulnerabilitySource

Signed-off-by: Indivar Mishra [email protected]

v8.8.0 (2025-02-12)

Features

  • Add cyclonedx.model.crypto.ProtocolProperties.crypto_refs (#767, beb35f5)

Signed-off-by: Indivar Mishra [email protected]

v8.7.0 (2025-02-06)

Features

  • Allow empty OrganizationalContact object (#772, 03b35f4)

fixes #771

Signed-off-by: Johannes Feichtner [email protected]

Signed-off-by: Johannes Feichtner [email protected]

v8.6.0 (2025-02-04)

Features

  • Allow empty OrganizationalEntity object (#768, 472bded)

fixes #764

Signed-off-by: Johannes Feichtner [email protected]

  • Expand the capabilities of models.definition.Standard (#713, 901dcdc)

Signed-off-by: Hakan Dilek [email protected]

Signed-off-by: Jan Kowalleck [email protected]

Co-authored-by: Jan Kowalleck [email protected]

v8.5.1 (2025-01-28)

Documentation

  • Fix typos in in conda-forge.md and remove unused reference in README (#762, 66ece7a)

  • Fix few typos in conda-forge.md - Removed unused PEP-508 ref in README.md

Signed-off-by: Arthit Suriyawongkul [email protected]

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: Jan Kowalleck [email protected]

Features

Deprecates .serialization.BomRefHelper and .serialization.LicenseRepositoryHelper

fixes #756

Signed-off-by: Jan Kowalleck [email protected]

v8.5.0 (2024-11-18)

Documentation

  • Remove invalid docsting note about auto-assigned bom-ref values (#733, 5aa5787)

Features

Signed-off-by: Jan Kowalleck [email protected]

v8.4.0 (2024-10-29)

Bug Fixes

  • No warning for missing dependencies if no component exists (#720, d9c3ded)

Signed-off-by: weichslgartner [email protected]

Features

  • Add factory method XsUri.make_bom_link() (#728, 5ec73d0)

Signed-off-by: Saquib Saifee [email protected]

Co-authored-by: Saquib Saifee [email protected]

v8.3.0 (2024-10-26)

Documentation

Signed-off-by: Jan Kowalleck [email protected]

Features

Signed-off-by: Hakan Dilek [email protected]

v8.2.1 (2024-10-24)

Bug Fixes

Signed-off-by: Jan Kowalleck [email protected]

v8.2.0 (2024-10-22)

Features

Signed-off-by: gruebel [email protected]

v8.1.0 (2024-10-21)

Documentation

  • Fix code examples regarding outputting (#709, c72d5f4)

Signed-off-by: Hakan Dilek [email protected]

Features

  • Add support for Lifecycles in BOM metadata (#698, 6cfeb71)

Signed-off-by: Johannes Feichtner [email protected]

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: Johannes Feichtner [email protected]

Co-authored-by: Jan Kowalleck [email protected]

v8.0.0 (2024-10-14)

Documentation

  • chaneglog: Omit chore/ci/refactor/style/test/build (#703, a210809)

Signed-off-by: Jan Kowalleck [email protected]

Features

BREAKING Changes

  • Removed cyclonedx.mode.ThisTool, utilize cyclonedx.builder.this.this_tool() instead. * Moved cyclonedx.model.Tool to cyclonedx.model.tool.Tool. * Property cyclonedx.mode.bom.BomMetaData.tools is of type cyclonedx.model.tool.ToolRepository now, was SortedSet[cyclonedx.model.Tool]. The getter will act accordingly; the setter might act in a backwards-compatible way. * Property cyclonedx.mode.vulnerability.Vulnerability.tools is of type cyclonedx.model.tool.ToolRepository now, was SortedSet[cyclonedx.model.Tool]. The getter will act accordingly; the setter might act in a backwards-compatible way. * Constructor cyclonedx.model.license.LicenseExpression() accepts optional argument acknowledgement only as key-word argument, no longer as positional argument.

Changes

  • Constructor of cyclonedx.model.bom.BomMetaData also accepts an instance of cyclonedx.model.tool.ToolRepository for argument tools. * Constructor of cyclonedx.model.bom.BomMetaData no longer adds this very library as a tool. Downstream users SHOULD add it manually, like my-bom.metadata.tools.components.add(cyclonedx.builder.this.this_component()).

Fixes

  • Deserialization of CycloneDX that do not include tools in the metadata are no longer unexpectedly modified/altered.

Added

Enabled Metadata Tools representation and serialization in accordance with CycloneDX 1.5

  • New class cyclonedx.model.tool.ToolRepository. * New function cyclonedx.builder.this.this_component() -- representation of this very python library as a Component. * New function cyclonedx.builder.this.this_tool() -- representation of this very python library as a Tool. * New function cyclonedx.model.tool.Tool.from_component().

Dependencies

  • Raised runtime dependency py-serializable>=1.1.1,<2, was >=1.1.0,<2.

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: Joshua Kugler [email protected]

Signed-off-by: semantic-release [email protected]

Co-authored-by: Joshua Kugler [email protected]

Co-authored-by: semantic-release [email protected]

v7.6.2 (2024-10-07)

Bug Fixes

  • Behavior of and typing for crypto setters with optional values (#694, d8b20bd)

fixes #690

Signed-off-by: Jan Kowalleck [email protected]

Documentation

Signed-off-by: Jan Kowalleck [email protected]

v7.6.1 (2024-09-18)

Bug Fixes

utilizes flake8 plugin https://pypi.org/project/flake8-copyright-validator/ to assert the correct headers

Signed-off-by: Jan Kowalleck [email protected]

v7.6.0 (2024-08-14)

Features

  • hashtype.from_composite_str for Blake2b, SHA3, Blake3 (#663, c59036e)

The code mistreated hashes for Blake2b and SHA3. Code for explicitly handling SHA1 & BLAKE3 was added, as those have no variants defined in the CycloneDX specification.

fixes #652

Signed-off-by: Michael Schlenker [email protected]

Co-authored-by: Michael Schlenker [email protected]

Co-authored-by: Jan Kowalleck [email protected]

v7.5.1 (2024-07-08)

Bug Fixes

  • Xml serialize normalizedString and token properly (#646, b40f739)

fixes #638

Signed-off-by: Jan Kowalleck [email protected]

v7.5.0 (2024-07-04)

Features

  • Add workaround property for v1.5 and v1.6 (#642, b5ebcf8)

Property workaround was missing from the vulnerability model. It was added in spec v1.5 and was marked as TODO before.

This is my first contribution on this project so if I done something wrong, just say me 😃

Signed-off-by: Louis Maillard [email protected]

Signed-off-by: Louis Maillard [email protected]

Co-authored-by: Louis Maillard [email protected]

v7.4.1 (2024-06-12)

Bug Fixes

  • cyclonedx.model.property.value value is optional (#631, ad0f98b)

cyclonedx.model.Property.value value is optional, in accordance with the spec.

fixes #630

Signed-off-by: Michael Schlenker [email protected]

Signed-off-by: Jan Kowalleck [email protected]

Co-authored-by: Michael Schlenker [email protected]

Co-authored-by: Jan Kowalleck [email protected]

Documentation

fixes #616

Signed-off-by: Jan Kowalleck [email protected]

v7.4.0 (2024-05-23)

Documentation

  • Ossp best practice percentage (75f58dc)

Signed-off-by: Jan Kowalleck [email protected]

Features

Signed-off-by: Jan Kowalleck [email protected]

v7.3.4 (2024-05-06)

Bug Fixes

  • Allow suppliers with empty-string names (#611, b331aeb)

fixes #600

Signed-off-by: Jan Kowalleck [email protected]

v7.3.3 (2024-05-06)

Bug Fixes

  • Json validation allow arbitrary $schema value (#613, 08b7c60)

fixes #612

Signed-off-by: Jan Kowalleck [email protected]

v7.3.2 (2024-04-26)

Bug Fixes

  • Properly sort components based on all properties (#599, 8df488c)

reverts #587 - as this one introduced errors fixes #598 fixes #586

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: Paul Horton [email protected]

Co-authored-by: Paul Horton [email protected]

v7.3.1 (2024-04-22)

Bug Fixes

  • Include all fields of Component in __lt__ function for #586 (#587, d784685)

Fixes #586.

Signed-off-by: Paul Horton [email protected]

v7.3.0 (2024-04-19)

Features

add a parameter to LicenseFactory.make_*() methods, to set the LicenseAcknowledgement.

Signed-off-by: Jan Kowalleck [email protected]

v7.2.0 (2024-04-19)

Features

Signed-off-by: Jan Kowalleck [email protected]

v7.1.0 (2024-04-10)

Documentation

  • Missing schema support table & update schema support to reflect version 7.0.0 (#584, d230e67)

Signed-off-by: Paul Horton [email protected]

Features

  • Support bom.properties for CycloneDX v1.5+ (#585, 1d1c45a)

Signed-off-by: Paul Horton [email protected]

v7.0.0 (2024-04-09)

Features

  • Support for CycloneDX v1.6 (8bbdf46)
  • added draft v1.6 schemas and boilerplate for v1.6

Signed-off-by: Paul Horton [email protected]

  • re-generated test snapshots for v1.6

  • note bom.metadata.manufacture as deprecated

  • work on bom.metadata for v1.6

  • Deprecated .component.author. Added .component.authors and .component.manufacturer

  • work to add .component.omniborid - but tests deserialisation tests fail due to schema differences (.component.author not in 1.6)

  • work to get deserialization tests passing

v6.4.4 (2024-03-18)

Bug Fixes

Signed-off-by: Christoph Reiter [email protected]

v6.4.3 (2024-03-04)

Bug Fixes

  • Serialization of model.component.Diff (#557, 22fa873)

Fixes #556

Signed-off-by: rcross-lc [email protected]

Signed-off-by: Jan Kowalleck [email protected]

Co-authored-by: Jan Kowalleck [email protected]

v6.4.2 (2024-03-01)

Build System

Signed-off-by: Jan Kowalleck [email protected]

Documentation

Signed-off-by: Jan Kowalleck [email protected]

  • Update architecture description and examples (#550, a19fd28)

Signed-off-by: Jan Kowalleck [email protected]

v6.4.1 (2024-01-30)

Bug Fixes

  • model.bomref no longer equal to unset peers (#543, 1fd7fee)

fixes #539

Signed-off-by: Jan Kowalleck [email protected]

Documentation

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: Jan Kowalleck [email protected]

v6.4.0 (2024-01-22)

Documentation

Signed-off-by: Jan Kowalleck [email protected]

Features

Signed-off-by: Jan Kowalleck [email protected]

v6.3.0 (2024-01-06)

Documentation

  • Add Documentation url to project meta (1080b73)

Signed-off-by: Jan Kowalleck [email protected]

  • Add Documentation url to project meta (c4288b3)

Signed-off-by: Jan Kowalleck [email protected]

Features

  • Enable dependency py-serializable 0.17 (#529, 9f24220)

Signed-off-by: Jan Kowalleck [email protected]

v6.2.0 (2023-12-31)

Build System

  • Allow additional major-version RC branch patterns (f8af156)

Signed-off-by: Jan Kowalleck [email protected]

Documentation

  • Buld docs on ubuntu22.04 python311 (b3e9ab7)

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: Jan Kowalleck [email protected]

  • Update intro and description (f0bd05d)

Signed-off-by: Jan Kowalleck [email protected]

Features

  • Allow lxml requirement in range of >=4,<6 (#523, 7d12b9a)

Updates the requirements on lxml to permit the latest version. - Release notes - Changelog - Commits

--- updated-dependencies: - dependency-name: lxml dependency-type: direct:production ...

Signed-off-by: dependabot[bot] [email protected]

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

v6.1.0 (2023-12-22)

Features

  • Add function to map python hashlib algorithms to CycloneDX (#519, 81f8cf5)

new API: model.HashType.from_hashlib_alg()

Signed-off-by: Jan Kowalleck [email protected]

v6.0.0 (2023-12-10)

Features

Breaking Changes

  • Removed symbols that were already marked as deprecated (via [#493]) * Removed symbols in parser.* ([#489] via [#495]) * Removed output.LATEST_SUPPORTED_SCHEMA_VERSION ([#491] via [#494]) * Serialization of unsupported enum values might downgrade/migrate/omit them ([#490] via [#496]) Handling might raise warnings if a data loss occurred due to omitting. The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered. * Serialization of any model.component.Component with unsupported type raises exception.serialization.SerializationOfUnsupportedComponentTypeException ([#490] via [#496]) * Object model.bom_ref.BomRef's property value defaults to Null, was arbitrary UUID ([#504] via [#505]) This change does not affect serialization. All bom-refs are guaranteed to have unique values on rendering. * Removed helpers from public API ([#503] via [#506])

Added

  • Basic support for CycloneDX 1.5 ([#404] via [#488]) * No data models were enhanced nor added, yet. Pull requests to add functionality are welcome. * Existing enumerable got new cases, to reflect features of CycloneDX 1.5 ([#404] via [#488]) * Outputters were enabled to render CycloneDX 1.5 ([#404] via [#488])

Tests

  • Created (regression/unit/integration/functional) tests for CycloneDX 1.5 ([#404] via [#488]) * Created (regression/functional) tests for Enums' handling and completeness ([#490] via [#496])

Misc

  • Bumped dependency py-serializable@^0.16, was @^0.15 (via [#496])

API Changes — the details for migration

  • Added new sub-package exception.serialization (via [#496]) * Removed class models.ComparableTuple ([#503] via [#506]) * Enum model.ExternalReferenceType got new cases, to reflect features for CycloneDX 1.5 ([#404] via [#488]) * Removed function models.get_now_utc ([#503] via [#506]) * Removed function models.sha1sum ([#503] via [#506]) * Enum model.component.ComponentType got new cases, to reflect features for CycloneDX 1.5 ([#404] via [#488]) * Removed model.component.Component.__init__()'s deprecated optional kwarg namespace (via [#493]) Use kwarg group instead. * Removed model.component.Component.__init__()'s deprecated optional kwarg license_str (via [#493]) Use kwarg licenses instead. * Removed deprecated method model.component.Component.get_namespace() (via [#493]) * Removed class models.dependency.DependencyDependencies ([#503] via [#506]) * Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg source_name (via [#493]) Use kwarg source instead. * Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg source_url (via [#493]) Use kwarg source instead. * Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg recommendations (via [#493]) Use kwarg recommendation instead. * Removed model.vulnerability.VulnerabilityRating.__init__()'s deprecated optional kwarg score_base (via [#493]) Use kwarg score instead. * Enum model.vulnerability.VulnerabilityScoreSource got new cases, to reflect features for CycloneDX 1.5 ([#404] via [#488]) * Removed output.LATEST_SUPPORTED_SCHEMA_VERSION ([#491] via [#494]) * Removed deprecated function output.get_instance() (via [#493]) Use function output.make_outputter() instead. * Added new class output.json.JsonV1Dot5, to reflect CycloneDX 1.5 ([#404] via [#488]) * Added new item to dict output.json.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 ([#404] via [#488]) * Added new class output.xml.XmlV1Dot5, to reflect CycloneDX 1.5 ([#404] via [#488]) * Added new item to dict output.xml.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 ([#404] via [#488]) * Removed class parser.ParserWarning ([#489] via [#495]) * Removed class parser.BaseParser ([#489] via [#495])
    • Enum schema.SchemaVersion got new case V1_5, to reflect CycloneDX 1.5 ([#404] via [#488])

[#404]: #404 [#488]: #488 [#489]: #489 [#490]: #490 [#491]: #491 [#493]: #493 [#494]: #494 [#495]: #495 [#496]: #496 [#503]: #503 [#504]: #504 [#505]: #505 [#506]: #506

Signed-off-by: Johannes Feichtner [email protected]

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: semantic-release

Co-authored-by: Johannes Feichtner [email protected]

Co-authored-by: semantic-release

v5.2.0 (2023-12-02)

Documentation

Signed-off-by: Jan Kowalleck [email protected]

Features

  • model.xsuri migrate control characters according to spec (#498, e490429)

fixes #497

Signed-off-by: Jan Kowalleck [email protected]

v5.1.1 (2023-11-02)

Bug Fixes

Signed-off-by: Jan Kowalleck [email protected]

v5.1.0 (2023-10-31)

Documentation

Signed-off-by: Jan Kowalleck [email protected]

Features

  • Guarantee unique BomRefs in serialization result (#479, a648775)

Incorporate output.BomRefDiscriminator on serialization

Signed-off-by: Jan Kowalleck [email protected]

v5.0.1 (2023-10-24)

Documentation

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: Jan Kowalleck [email protected]

v5.0.0 (2023-10-24)

Features

BREAKING CHANGES ---------------- * Dropped support for python<3.8 ([#436] via [#441]; enable [#433]) * Reworked license related models, collections, and factories ([#365] via [#466]) * Behavior * Method model.bom.Bom.validate() will throw exception.LicenseExpressionAlongWithOthersException, if detecting invalid license constellation ([#453] via [#452]) * Fixed tuple comparison when unequal lengths (via [#461]) * API * Enum schema.SchemaVersion is no longer string-like ([#442] via [#447]) * Enum schema.OutputVersion is no longer string-like ([#442] via [#447]) * Abstract class output.BaseOutput requires implementation of new method output_format ([#446] via [#447]) * Abstract method output.BaseOutput.output_as_string() got new optional parameter indent ([#437] via [#458]) * Abstract method output.BaseOutput.output_as_string() accepts arbitrary kwargs (via [#458], [#462]) * Removed class factory.license.LicenseChoiceFactory (via [#466]) The old functionality was integrated into factory.license.LicenseFactory. * Method factory.license.LicenseFactory.make_from_string()'s parameter name_or_spdx was renamed to value (via [#466]) * Method factory.license.LicenseFactory.make_from_string()'s return value can also be a LicenseExpression ([#365] via [#466]) The behavior imitates the old factory.license.LicenseChoiceFactory.make_from_string() * Renamed class module.License to module.license.DisjunctliveLicense ([#365] via [#466]) * Removed class module.LicenseChoice ([#365] via [#466]) Use dedicated classes module.license.DisjunctliveLicense and module.license.LicenseExpression instead * All occurrences of models.LicenseChoice were replaced by models.licenses.License ([#365] via [#466]) * All occurrences of SortedSet[LicenseChoice] were specialized to models.license.LicenseRepository ([#365] via [#466])

Fixed ---------------- * Serialization of multy-licenses ([#365] via [#466]) * Detect unused "dependent" components in model.bom.validate() (via [#464])

Changed ---------------- * Updated latest supported list of supported SPDX license identifiers (via [#433]) * Shipped schema files are moved to a protected space (via [#433]) These files were never intended for public use. * XML output uses a default namespace, which makes results smaller. ([#438] via [#458])

Added ---------------- * Support for Python 3.12 (via [#460]) * JSON- & XML-Validators ([#432], [#446] via [#433], [#448]) The functionality might require additional dependencies, that can be installed with the extra "validation". See the docs in section "Installation" for details. * JSON & XML can be generated in a more human-friendly form ([#437], [#438] via [#458]) * Type hints, typings & overloads for better integration downstream (via [#463]) * API * New function output.make_outputter() (via [#469]) This replaces the deprecated function output.get_instance(). * New sub-package validation ([#432], [#446] via [#433], [#448], [#469], [#468], [#469]) * New class exception.MissingOptionalDependencyException ([#432] via [#433]) * New class exception.LicenseExpressionAlongWithOthersException ([#453] via [#452]) * New dictionaries output.{json,xml}.BY_SCHEMA_VERSION ([#446] via [#447]) * Existing implementations of class output.BaseOutput now have a new method output_format ([#446] via [#447]) * Existing implementations of method output.BaseOutput.output_as_string() got new optional parameter indent ([#437] via [#458]) * Existing implementations of method output.BaseOutput.output_to_file() got new optional parameter indent ([#437] via [#458]) * New method factory.license.LicenseFactory.make_with_expression() (via [#466]) * New class model.license.DisjunctiveLicense ([#365] via [#466]) * New class model.license.LicenseExpression ([#365] via [#466]) * New class model.license.LicenseRepository ([#365] via [#466]) * New class serialization.LicenseRepositoryHelper ([#365] via [#466])

Deprecated ---------------- * Function output.get_instance() might be removed, use output.make_outputter() instead (via [#469])

Tests ---------------- * Added validation tests with official CycloneDX schema test data ([#432] via [#433]) * Use proper snapshots, instead of pseudo comparison ([#437] via [#464]) * Added regression test for bug [#365] (via [#466], [#467])

Misc ---------------- * Dependencies: bumped py-serializable@^0.15.0, was @^0.11.1 (via [#458], [#463], [#464], [#466]) * Style: streamlined quotes and strings (via [#472]) * Chore: bumped internal dev- and QA-tools ([#436] via [#441], [#472]) * Chore: added more QA tools to prevent common security issues (via [#473])

[#432]: #432 [#433]: #433 [#436]: #436 [#437]: #437 [#365]: #365 [#438]: #438 [#440]: #440 [#441]: #441 [#442]: #442 [#446]: #446 [#447]: #447 [#448]: #448 [#452]: #452 [#453]: #453 [#458]: #458 [#460]: #460 [#461]: #461 [#462]: #462 [#463]: #463 [#464]: #464 [#466]: #466 [#467]: #467 [#468]: #468 [#469]: #469 [#472]: #472 [#473]: #473

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: semantic-release

Co-authored-by: semantic-release

v4.2.3 (2023-10-16)

Bug Fixes

  • Spdx-expression-validation internal crashes are cought and handled (#471, 5fa66a0)

Signed-off-by: Jan Kowalleck [email protected]

v4.2.2 (2023-09-14)

Bug Fixes

Signed-off-by: Jan Kowalleck [email protected]

Documentation

Signed-off-by: Jan Kowalleck [email protected]

  • example: Showcase LicenseChoiceFactory (#428, c56ec83)

Signed-off-by: Jan Kowalleck [email protected]

v4.2.1 (2023-09-06)

Bug Fixes

  • licensechoicefactory.make_from_string() prioritize SPDX id over expression (#427, e1bdfdd)

Signed-off-by: Jan Kowalleck [email protected]

v4.2.0 (2023-09-06)

Features

Signed-off-by: Jan Kowalleck [email protected]

v4.1.0 (2023-08-27)

Documentation

  • examples: Showcase shorthand dependency management (#403, 8b32efb)

Signed-off-by: Jan Kowalleck [email protected]

Features

  • Programmatic access to library's version (#417, 3585ea9)

adds cyclonedx.__version__

Signed-off-by: Jan Kowalleck [email protected]

v4.0.1 (2023-06-28)

Bug Fixes

  • Conditional warning if no root dependencies were found (#398, c8175bb)

Signed-off-by: Jan Kowalleck [email protected]

Build System

Signed-off-by: Jan Kowalleck [email protected]

Documentation

  • Add exaple how to build and serialize (#397, 65e22bd)

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: Jan Kowalleck [email protected]

v4.0.0 (2023-03-20)

Bug Fixes

  • Remove toml as dependency as not used and seems to be breaking Python 3.11 CI (8fb1b14)

Signed-off-by: Paul Horton [email protected]

  • Removed autopep8 in favour of flake8 as both have conflicting dependencies now (8fb1b14)

Signed-off-by: Paul Horton [email protected]

  • Removed setuptools as dependency (8fb1b14)

  • Removed types-toml from dependencies - not used (8fb1b14)

Signed-off-by: Paul Horton [email protected]

  • Update serializable to include XML safety changes (8fb1b14)

Signed-off-by: Paul Horton [email protected]

Features

Signed-off-by: Hakan Dilek [email protected]

Signed-off-by: Paul Horton [email protected]

Co-authored-by: Hakan Dilek [email protected]

Co-authored-by: Hakan Dilek [email protected]

  • Officially test and support Python 3.11 (8fb1b14)

Signed-off-by: Paul Horton [email protected]

  • removed unused imports

  • bump poetry to 1.1.12 in CI

Highlights of this release include: * Support for De-serialization from JSON and XML to this Pythonic Model * Deprecation of Python 3.6 support * Support for Python 3.11 * Support for BomLink * Support VEX without needing Component in the same Bom * Support for services having dependencies

BREAKING CHANGE: Large portions of this library have been re-written for this release and many methods and contracts have changed.

Signed-off-by: Paul Horton [email protected]

  • Support for deserialization from JSON and XML (#290, 8fb1b14)

BREAKING CHANGE:

  • Support for Python 3.11 (#349, 8fb1b14)

  • Support VEX without Components in the same BOM (8fb1b14)

BREAKING CHANGE: Model classes changed to relocated Vulnerability at Bom, not at Component

Signed-off-by: Paul Horton [email protected]

Breaking Changes

  • Large portions of this library have been re-written for this release and many methods and contracts have changed.

v3.1.5 (2023-01-12)

Bug Fixes

  • Mak test's schema paths relative to cyclonedx package (#338, 1f0c05f)

Signed-off-by: Jan Kowalleck [email protected]

v3.1.4 (2023-01-11)

Bug Fixes

Features

  • Include tests in sdist builds for #336 (#337, 936ad7d)

v3.1.3 (2023-01-07)

Bug Fixes

  • Serialize dependency graph for nested components (#329, fb3f835)
  • tests: regression tests for issue #328 fix: for issue #328

Signed-off-by: Jan Kowalleck [email protected]

v3.1.2 (2023-01-06)

Bug Fixes

  • Prevent errors on metadata handling for some specification versions (#330, f08a656)

Signed-off-by: Jan Kowalleck [email protected]

Documentation

caused by badges/shields#8671

Signed-off-by: Jan Kowalleck [email protected]

Signed-off-by: Roland Weber [email protected]

Signed-off-by: Jan Kowalleck [email protected]

v3.1.1 (2022-11-28)

Bug Fixes

  • Type hint for get_component_by_purl is incorrect (3f20bf0)

v3.1.0 (2022-09-15)

Features

Signed-off-by: Jan Kowalleck [email protected]

  • Out-factor SPDX compund detection (fd4d537)

Signed-off-by: Jan Kowalleck [email protected]

  • Out-factor SPDX compund detection (2b69925)

Signed-off-by: Jan Kowalleck [email protected]

v2.7.1 (2022-08-01)

Bug Fixes

  • Pinned mypy <= 0.961 due to #278 (d6955cb)

Signed-off-by: Paul Horton [email protected]

  • Properly support nested components and services #275 (6597db7)

Signed-off-by: Paul Horton [email protected]

v2.7.0 (2022-07-21)

Features

  • Added updated CycloneDX 1.4.2 schemas (7fb27ae)

Signed-off-by: Paul Horton [email protected]

  • Support for CycloneDX schema version 1.4.2 (db7445c)

v2.6.0 (2022-06-20)

Features

  • Reduce unnessessarry type casting of set/SortedSet (#203, 089d971)

Signed-off-by: Jan Kowalleck [email protected]

v2.5.2 (2022-06-15)

Bug Fixes

  • Add expected lower-than comparators for OrganizationalEntity and VulnerabilityCredits (#248, 0046ee1)

Signed-off-by: Jan Kowalleck [email protected]

v2.5.1 (2022-06-10)

Bug Fixes

  • Add missing Vulnerability comparator for sorting (#246, c3f3d0d)

Partial fix for #245.

Signed-off-by: Rodney Richardson [email protected]

v2.5.0 (2022-06-10)

Build System

  • Move typing to dev-dependencies (0e2376b)

Move types-setuptools and types-toml to dev-dependencies (#226)

Signed-off-by: Adam Johnson [email protected]

Documentation

  • Fix typo "This is out" -> "This is our" (ef0278a)

Fix typo in comments: "This is out" -> "This is our" (#233)

Signed-off-by: Rodney Richardson [email protected]

Features

  • Use SortedSet in model to improve reproducibility - this will provide predictable ordering of various items in generated CycloneDX documents - thanks to @RodneyRichardson (8a1c404)

Signed-off-by: Paul Horton [email protected]

v2.4.0 (2022-05-17)

Features

  • deps: Remove unused typing-extensions constraints (2ce358a)

PullRequest and details via #224

Signed-off-by: gruebel [email protected]

v2.3.0 (2022-04-20)

Features

  • Add support for Dependency Graph in Model and output serialisation (ea34513)

Signed-off-by: Paul Horton [email protected]

v2.2.0 (2022-04-12)

Features

  • Bump JSON schemas to latest fix verison for 1.2 and 1.3 - see: (bd6a088)

  • Bump XML schemas to latest fix version for 1.2-1.4 - see: (bd2e756)

v2.1.1 (2022-04-05)

Bug Fixes

  • version being optional in JSON output can raise error (ba0c82f)

Signed-off-by: Paul Horton [email protected]

  • Prevent error if version not set (b9a84b5)

Signed-off-by: Paul Horton [email protected]

v2.1.0 (2022-03-28)

Features

  • Output errors are verbose (bfe8fb1)

Signed-off-by: Jan Kowalleck [email protected]

v2.0.0 (2022-02-21)

Bug Fixes

  • component.bom_ref is not Optional in our model implementation (in the schema it is) - we generate a UUID if bom_ref is not supplied explicitly (5c954d1)

Signed-off-by: Paul Horton [email protected]

  • expression not supported in Component Licsnes for version 1.0 (15b081b)

Signed-off-by: Paul Horton [email protected]

  • license_url not serialised in XML output #179 (#180, f014d7c)

Signed-off-by: Paul Horton [email protected]

  • Components with no version (optional since 1.4) produce invalid BOM output in XML #150 (70d25c8)

Signed-off-by: Paul Horton [email protected]

Signed-off-by: Paul Horton [email protected]

  • Implemented correct __hash__ methods in models (#153) (#155, 32c0139)

Signed-off-by: Paul Horton [email protected]

  • Regression introduced by first fix for #150 (c09e396)

Signed-off-by: Paul Horton [email protected]

  • Resolved #169 (part of #155) (#172, a926b34)

  • Temporary fix for __hash__ of Component with properties #153 (a51766d)

Signed-off-by: Paul Horton [email protected]

Features

  • bom-ref for Component and Vulnerability default to a UUID (#142, b45ff18)

  • bom-ref for Component and Vulnerability default to a UUID if not supplied ensuring they have a unique value #141 (b45ff18)

Signed-off-by: Paul Horton [email protected]

  • doc: updated documentation to reflect change

  • patched other tests to support UUID for bom-ref

  • better syntax

  • 1.3.0

Automatically generated by python-semantic-release

  • WIP but a lil hand up for @madpah

Signed-off-by: Jeffry Hesse [email protected]

BREAKING CHANGE: Adopt PEP-3102

BREAKING CHANGE: Optional Lists are now non-optional Sets

BREAKING CHANGE: Remove concept of DEFAULT schema version - replaced with LATEST schema version

BREAKING CHANGE: Added BomRef data type

Signed-off-by: Paul Horton [email protected]

  • Complete support for bom.components (#155, 32c0139)

  • Completed work on #155 (#172, a926b34)

  • Support complete model for bom.metadata (#162, 2938a6c)

  • Support for bom.externalReferences in JSON and XML #124 (1b733d7)

Signed-off-by: Paul Horton [email protected]

  • Support services in XML BOMs (9edf6c9)

Breaking Changes

  • Adopt PEP-3102

  • Optional Lists are now non-optional Sets

  • Remove concept of DEFAULT schema version - replaced with LATEST schema version

  • Added BomRef data type

v1.3.0 (2022-01-24)

Features

  • bom-ref for Component and Vulnerability default to a UUID (#142, 3953bb6)

  • bom-ref for Component and Vulnerability default to a UUID if not supplied ensuring they have a unique value #141 (#142, 3953bb6)

Signed-off-by: Paul Horton [email protected]

  • doc: updated documentation to reflect change

  • patched other tests to support UUID for bom-ref

  • better syntax

v1.2.0 (2022-01-24)

Features

  • Added CPE to component

Setting CPE was missing for component, now it is possible to set CPE and output CPE for a component.

Signed-off-by: Jens Lucius [email protected]

  • Fixing problems with CPE addition
  • Fixed styling errors - Added reference to CPE Spec - Adding CPE parameter as last parameter to not break arguments
  • Again fixes for Style and CPE reference

Missing in the last commit

  • Added CPE as argument before deprecated arguments

  • Added testing for CPE addition and error fixing

  • Added output tests for CPE in XML and JSON - Fixes style error in components - Fixes order for CPE output in XML (CPE has to come before PURL)
  • Fixed output tests

CPE was still in the wrong position in one of the tests - fixed

  • Fixed minor test fixtures issues
  • cpe was still in wrong position in 1.2 JSON - Indentation fixed in 1.4 JSON
  • Fixed missing comma in JSON 1.2 test file

v1.1.1 (2022-01-19)

Bug Fixes

Signed-off-by: Paul Horton [email protected]

v1.1.0 (2022-01-13)

Features

  • Add support for bom.metadata.component (#118, 1ac31f4)
  • Add support for metadata component

Part of #6

Signed-off-by: Artem Smotrakov [email protected]

  • Better docs and simpler ifs

v1.0.0 (2022-01-13)

v0.12.3 (2021-12-15)

Bug Fixes

  • Removed requirements-parser as dependency (temp) as not available for Python 3 as Wheel (#98, 3677d9f)

Signed-off-by: Paul Horton [email protected]

v0.12.2 (2021-12-09)

Bug Fixes

  • Tightened dependency packageurl-python (#95, eb4ae5c)

fixes #94

Signed-off-by: Jan Kowalleck [email protected]

v0.12.1 (2021-12-09)

Bug Fixes

  • Further loosened dependency definitions (8bef6ec)

see #44

updated some locked dependencies to latest versions

Signed-off-by: Jan Kowalleck [email protected]

v0.12.0 (2021-12-09)

Bug Fixes

  • Typing definitions to be PY 3.6 compatible (07ebedc)

Signed-off-by: Paul Horton [email protected]

  • Typing definitions to be PY 3.6 compatible (07ebedc)

Signed-off-by: Paul Horton [email protected]

  • straigtened up sys.version_info constraints/code-branches

Signed-off-by: Jan Kowalleck [email protected]

  • removed unused type ignores

  • try to fix type variants

  • typing for py3.6

  • fixed invalid unittest

  • mypy silence warn_unused_ignores

  • mypy in tox for lowest version is pinned

Co-authored-by: Paul Horton [email protected]

  • Update conda package parsing to handle build containing underscore (#66, 2c6020a)

Signed-off-by: Paul Horton [email protected]

  • updated some typings

Features

  • Loosed dependency versions to make this library more consumable (55f10fb)

  • Lowering minimum dependency versions (55f10fb)

Signed-off-by: Paul Horton [email protected]

  • Lowering minimum dependency versions - importlib-metadata raising minimum to ensure we get a typed library (55f10fb)

Signed-off-by: Paul Horton [email protected]

  • Lowering minimum version for importlib-metadata to 3.4.0 with modified import statement (55f10fb)

Signed-off-by: Paul Horton [email protected]

v0.11.1 (2021-11-10)

Bug Fixes

  • Constructor for Vulnerability to correctly define ratings as optional (395a0ec)

Signed-off-by: William Woodruff [email protected]

Signed-off-by: Paul Horton [email protected]

  • added trove classifier for Python 3.10

Signed-off-by: Paul Horton [email protected]

v0.11.0 (2021-11-10)

Features

  • adde file for type checkers according to PEP 561

Signed-off-by: Jan Kowalleck [email protected]

  • added static code analysis as a dev-test

  • added the "typed" trove

  • added flake8-annotations to the tests

  • added type hints

  • further typing updates

Signed-off-by: Paul Horton [email protected]

  • further typing additions and test updates

  • further typing

  • further typing - added type stubs for toml and setuptools

  • typing work

  • coding standards

  • fixed tox and mypy running in correct python version

  • supressed mypy for cyclonedx.utils.conda.parse_conda_json_to_conda_package

  • fixed type hints

  • fixed some typing related flaws

  • added flake8-bugbear for code analysis

Co-authored-by: Paul Horton [email protected]

v0.10.2 (2021-10-21)

Bug Fixes

  • Correct way to write utf-8 encoded files (49f9369)

Signed-off-by: Paul Horton [email protected]

v0.10.1 (2021-10-21)

Bug Fixes

  • Ensure output to file is UTF-8 (a10da20)

Signed-off-by: Paul Horton [email protected]

  • Ensure output to file is UTF-8 (193bf64)

Signed-off-by: Paul Horton [email protected]

v0.10.0 (2021-10-20)

Features

Signed-off-by: Paul Horton [email protected]

v0.9.1 (2021-10-19)

v0.9.0 (2021-10-19)

Bug Fixes

  • Missing check for Classifiers in Environment Parser (b7fa38e)

Signed-off-by: Paul Horton [email protected]

Features

  • Add support for parsing package licenses when using the Environment Parsers (c414eaf)

Signed-off-by: Paul Horton [email protected]

v0.8.3 (2021-10-14)

Bug Fixes

  • Coding standards violations (00cd1ca)

Signed-off-by: Paul Horton [email protected]

  • Handle Pipfile.lock dependencies without an index specified (26c62fb)

v0.8.2 (2021-10-14)

Bug Fixes

  • Add namespace and subpath support to Component to complete PackageURL Spec support (780adeb)

Signed-off-by: Paul Horton [email protected]

v0.8.1 (2021-10-12)

Bug Fixes

  • Multiple hashes being created for an externalRefernce which is not as required (970d192)

Signed-off-by: Paul Horton [email protected]

v0.8.0 (2021-10-12)

Features

  • Add support for externalReferneces for Components and associated enhancements to parsers to obtain information where possible/known (a152852)

Signed-off-by: Paul Horton [email protected]

v0.7.0 (2021-10-11)

Features

  • Support for pipenv.lock file parsing (68a2dff)

Signed-off-by: Paul Horton [email protected]

v0.6.2 (2021-10-11)

v0.6.1 (2021-10-11)

Bug Fixes

  • Added ability to add tools in addition to this library when generating CycloneDX + plus fixes relating to multiple BOM instances (e03a25c)

Signed-off-by: Paul Horton [email protected]

  • Better methods for checking if a Component is already represented in the BOM, and the ability to get the existing instance (5fee85f)

Signed-off-by: Paul Horton [email protected]

v0.6.0 (2021-10-11)

Features

Signed-off-by: Paul Horton [email protected]

  • Support for non-PyPi Components - PackageURL type is now definable when creating a Component (fde79e0)

Signed-off-by: Paul Horton [email protected]

v0.5.0 (2021-10-11)

Bug Fixes

  • Bumped a dependency version (efc1053)

Signed-off-by: Paul Horton [email protected]

Build System

  • Updated dependencies, moved pdoc3 to a dev dependency (6a9947d)

Signed-off-by: Paul Horton [email protected]

Features

  • Add support for tool(s) that generated the SBOM (7d1e6ef)

Signed-off-by: Paul Horton [email protected]

v0.4.1 (2021-09-27)

Bug Fixes

  • Improved handling for requirements.txt content without pinned or declared versions (7f318cb)

Signed-off-by: Paul Horton [email protected]

Build System

Signed-off-by: Paul Horton [email protected]

v0.4.0 (2021-09-16)

Bug Fixes

  • Relaxed typing of parameter to be compatible with Python < 3.9 (f9c7990)

Signed-off-by: Paul Horton [email protected]

  • Remove unused commented out code (ba4f285)

Signed-off-by: Paul Horton [email protected]

Signed-off-by: Paul Horton [email protected]

Signed-off-by: Paul Horton [email protected]

Features

  • Helper methods for deriving Severity and SourceType (6a86ec2)

Signed-off-by: Paul Horton [email protected]

  • Support for localising vectors (i.e. stripping out any scheme prefix) (b9e9e17)

Signed-off-by: Paul Horton [email protected]

v0.3.0 (2021-09-15)

Features

  • Adding support for extension schema that descriptions vulnerability disclosures (d496695)

Signed-off-by: Paul Horton [email protected]

v0.2.0 (2021-09-14)

Bug Fixes

  • Whitespace on empty line removed (cfc952e)

Signed-off-by: Paul Horton [email protected]

v0.1.0 (2021-09-13)

Features

Signed-off-by: Paul Horton [email protected]

  • Added helper method to return a PackageURL object representing a Component (367bef1)

Signed-off-by: Paul Horton [email protected]

v0.0.11 (2021-09-10)

Bug Fixes

  • build: Removed artefacts associtated with non-poetry build (f9119d4)

Tidied up project to remove items associated with non-Poetry build process. Also aligned a few references in README to new home of this project under CycloneDX.

Signed-off-by: Paul Horton [email protected]

  • build: Test failure and dependency missing (9a2cfe9)

Fixed failing tests due to dependency on now removed VERSION file Added flake8 officially as a DEV dependency to poetry

Signed-off-by: Paul Horton [email protected]

  • test: Test was not updated for revised author statement (d1c9d37)

Signed-off-by: Paul Horton [email protected]

v0.0.10 (2021-09-08)

Bug Fixes

v0.0.9 (2021-09-08)

v0.0.8 (2021-09-08)

Bug Fixes

  • Additional info to poetry, remove circleci (2fcfa5a)

v0.0.7 (2021-09-08)

Bug Fixes

  • Initial release to pypi, tell poetry to include cyclonedx package (a030177)

  • Release with full name (4c620ed)

v0.0.6 (2021-09-08)

Bug Fixes

  • Initial release to pypi (99687db)

v0.0.5 (2021-09-08)

v0.0.4 (2021-09-08)

v0.0.3 (2021-09-08)

v0.0.2 (2021-09-08)