CHANGELOG

v8.4.0 (2024-10-29)

Feature

feat: add factory method XsUri.make_bom_link() (#728)

Signed-off-by: Saquib Saifee <saquibsaifee@ibm.com> Co-authored-by: Saquib Saifee <saquibsaifee@ibm.com> (5ec73d0)

Fix

fix: no warning for missing dependencies if no component exists (#720)

Signed-off-by: weichslgartner <weichslgartner@gmail.com> (d9c3ded)

Unknown

doc: fix Definitions docstring (#731)

Signed-off-by: Hakan Dilek <hakandilek@gmail.com> (5860b67)

v8.3.0 (2024-10-26)

Documentation

docs: revisit examples readme (#725)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e9020f0)

Feature

feat: add basic support for Definitions (#701)

Signed-off-by: Hakan Dilek <hakandilek@gmail.com> (a1573e5)

v8.2.1 (2024-10-24)

Fix

fix: encode quotation mark in URL (#724)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a7c7c97)

v8.2.0 (2024-10-22)

Feature

feat: Add Python 3.13 support (#718)

Signed-off-by: gruebel <anton.gruebel@gmail.com> (d4be3ba)

v8.1.0 (2024-10-21)

Documentation

docs: fix code examples regarding outputting (#709)

Signed-off-by: Hakan Dilek <hakandilek@gmail.com> (c72d5f4)

Feature

feat: add support for Lifecycles in BOM metadata (#698)

Signed-off-by: Johannes Feichtner <johannes@web-wack.at> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: Johannes Feichtner <343448+Churro@users.noreply.github.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (6cfeb71)

v8.0.0 (2024-10-14)

Breaking

feat!: v8.0.0 (#665)

BREAKING Changes

Removed cyclonedx.mode.ThisTool, utilize cyclonedx.builder.this.this_tool() instead.
Moved cyclonedx.model.Tool to cyclonedx.model.tool.Tool.
Property cyclonedx.mode.bom.BomMetaData.tools is of type cyclonedx.model.tool.ToolRepository now, was SortedSet[cyclonedx.model.Tool].
The getter will act accordingly; the setter might act in a backwards-compatible way.
Property cyclonedx.mode.vulnerability.Vulnerability.tools is of type cyclonedx.model.tool.ToolRepository now, was SortedSet[cyclonedx.model.Tool].
The getter will act accordingly; the setter might act in a backwards-compatible way.
Constructor cyclonedx.model.license.LicenseExpression() accepts optional argument acknowledgement only as key-word argument, no longer as positional argument.

Changes

Constructor of cyclonedx.model.bom.BomMetaData also accepts an instance of cyclonedx.model.tool.ToolRepository for argument tools.
Constructor of cyclonedx.model.bom.BomMetaData no longer adds this very library as a tool.
Downstream users SHOULD add it manually, like my-bom.metadata.tools.components.add(cyclonedx.builder.this.this_component()).

Fixes

Deserialization of CycloneDX that do not include tools in the metadata are no longer unexpectedly modified/altered.

Added

Enabled Metadata Tools representation and serialization in accordance with CycloneDX 1.5

New class cyclonedx.model.tool.ToolRepository.
New function cyclonedx.builder.this.this_component() -- representation of this very python library as a Component.
New function cyclonedx.builder.this.this_tool() -- representation of this very python library as a Tool.
New function cyclonedx.model.tool.Tool.from_component().

Dependencies

Raised runtime dependency py-serializable>=1.1.1,<2, was >=1.1.0,<2.

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: Joshua Kugler <tek30584@adobe.com> Signed-off-by: semantic-release <semantic-release@bot.local> Co-authored-by: Joshua Kugler <joshua@azariah.com> Co-authored-by: semantic-release <semantic-release@bot.local> (002f966)

Documentation

docs(chaneglog): omit chore/ci/refactor/style/test/build (#703)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a210809)

v7.6.2 (2024-10-07)

Documentation

docs: fix some doc strings

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (4fa8fc1)

Fix

fix: behavior of and typing for crypto setters with optional values (#694)

fixes #690

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (d8b20bd)

v7.6.1 (2024-09-18)

Fix

fix: file copyright headers (#676)

utilizes flake8 plugin <https://pypi.org/project/flake8-copyright-validator/> to assert the correct headers

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (35e00b4)

v7.6.0 (2024-08-14)

Feature

feat: HashType.from_composite_str for Blake2b, SHA3, Blake3 (#663)

The code mistreated hashes for Blake2b and SHA3. Code for explicitly handling SHA1 & BLAKE3 was added, as those have no variants defined in the CycloneDX specification.

fixes #652

Signed-off-by: Michael Schlenker <michael.schlenker@contact-software.com> Co-authored-by: Michael Schlenker <michael.schlenker@contact-software.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c59036e)

v7.5.1 (2024-07-08)

Fix

fix: XML serialize normalizedString and token properly (#646)

fixes #638

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b40f739)

v7.5.0 (2024-07-04)

Feature

feat: add workaround property for v1.5 and v1.6 (#642)

Property workaround was missing from the vulnerability model. It was added in spec v1.5 and was marked as TODO before.

This is my first contribution on this project so if I done something wrong, just say me 😃

Signed-off-by: Louis Maillard <louis.maillard@savoirfairelinux.com> Signed-off-by: Louis Maillard <louis.maillard@protonmail.com> Co-authored-by: Louis Maillard <louis.maillard@savoirfairelinux.com> (b5ebcf8)

v7.4.1 (2024-06-12)

Documentation

docs: exclude dep bumps from changelog (#627)

fixes #616

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (60361f7)

Fix

fix: cyclonedx.model.Property.value value is optional (#631)

cyclonedx.model.Property.value value is optional, in accordance with the spec.

fixes #630

Signed-off-by: Michael Schlenker <michael.schlenker@contact-software.com> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Co-authored-by: Michael Schlenker <michael.schlenker@contact-software.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (ad0f98b)

v7.4.0 (2024-05-23)

Documentation

docs: OSSP best practice percentage

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (75f58dc)

Feature

feat: updated SPDX license list to v3.24.0 (#622)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3f9770a)

v7.3.4 (2024-05-06)

Fix

fix: allow suppliers with empty-string names (#611)

fixes #600

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b331aeb)

v7.3.3 (2024-05-06)

Fix

fix: json validation allow arbitrary $schema value (#613)

fixes #612

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (08b7c60)

v7.3.2 (2024-04-26)

Fix

fix: properly sort components based on all properties (#599)

reverts #587 - as this one introduced errors fixes #598 fixes #586

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: Paul Horton <paul.horton@owasp.org> Co-authored-by: Paul Horton <paul.horton@owasp.org> (8df488c)

v7.3.1 (2024-04-22)

Fix

fix: include all fields of Component in __lt__ function for #586 (#587)

Fixes #586.

Signed-off-by: Paul Horton <paul.horton@owasp.org> (d784685)

v7.3.0 (2024-04-19)

Feature

feat: license factory set acknowledgement (#593)

add a parameter to LicenseFactory.make_*() methods, to set the LicenseAcknowledgement.

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (7ca2455)

v7.2.0 (2024-04-19)

Feature

feat: disjunctive license acknowledgement (#591)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (9bf1839)

Unknown

doc: poor merge resolved

Signed-off-by: Paul Horton <paul.horton@owasp.org> (a498faa)

v7.1.0 (2024-04-10)

Documentation

docs: missing schema support table & update schema support to reflect version 7.0.0 (#584)

Signed-off-by: Paul Horton <paul.horton@owasp.org> (d230e67)

Feature

feat: support bom.properties for CycloneDX v1.5+ (#585)

Signed-off-by: Paul Horton <paul.horton@owasp.org> (1d1c45a)

v7.0.0 (2024-04-09)

Breaking

feat!: Support for CycloneDX v1.6
added draft v1.6 schemas and boilerplate for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

re-generated test snapshots for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

note bom.metadata.manufacture as deprecated

Signed-off-by: Paul Horton <paul.horton@owasp.org>

work on bom.metadata for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

Deprecated .component.author. Added .component.authors and .component.manufacturer

Signed-off-by: Paul Horton <paul.horton@owasp.org>

work to add .component.omniborid - but tests deserialisation tests fail due to schema differences (.component.author not in 1.6)

Signed-off-by: Paul Horton <paul.horton@owasp.org>

work to get deserialization tests passing

Signed-off-by: Paul Horton <paul.horton@owasp.org>

chore(deps): bump py-serializable to >=1.0.3 to resolve issues with deserialization to XML

Signed-off-by: Paul Horton <paul.horton@owasp.org>

imports tidied

Signed-off-by: Paul Horton <paul.horton@owasp.org>

properly added .component.swhid

Signed-off-by: Paul Horton <paul.horton@owasp.org>

add .component.cryptoProperties - with test failures for SchemaVersion < 1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

typing and bandit ignores

Signed-off-by: Paul Horton <paul.horton@owasp.org>

coding standards

Signed-off-by: Paul Horton <paul.horton@owasp.org>

test filtering

Signed-off-by: Paul Horton <paul.horton@owasp.org>

coding standards

Signed-off-by: Paul Horton <paul.horton@owasp.org>

additional tests to increase code coverage

Signed-off-by: Paul Horton <paul.horton@owasp.org>

corrected CryptoMode enum

Signed-off-by: Paul Horton <paul.horton@owasp.org>

coding standards

Signed-off-by: Paul Horton <paul.horton@owasp.org>

Added address to organizationalEntity

Signed-off-by: Paul Horton <paul.horton@owasp.org>

Added address to organizationalEntity

Signed-off-by: Paul Horton <paul.horton@owasp.org>

raise UserWarning in .component.version has length > 1024

Signed-off-by: Paul Horton <paul.horton@owasp.org>

coding standards and typing

Signed-off-by: Paul Horton <paul.horton@owasp.org>

add acknowledgement to LicenseExpression (#582)

Signed-off-by: Paul Horton <paul.horton@owasp.org>

more proper way to filter test cases

Signed-off-by: Paul Horton <paul.horton@owasp.org>

update schema to published versions

Signed-off-by: Paul Horton <paul.horton@owasp.org>

fetch schema 1.6 JSON

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

fetch test data for CDX 1.6

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

reformat

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

reformat

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

refactor

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

style

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

refactor

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

docs

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Signed-off-by: Paul Horton <paul.horton@owasp.org> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (8bbdf46)

v6.4.4 (2024-03-18)

Fix

fix: wrong extra name for xml validation (#571)

Signed-off-by: Christoph Reiter <reiter.christoph@gmail.com> (10e38e2)

v6.4.3 (2024-03-04)

Fix

fix: serialization of model.component.Diff (#557)

Fixes #556

Signed-off-by: rcross-lc <151086351+rcross-lc@users.noreply.github.com> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (22fa873)

v6.4.2 (2024-03-01)

Build

build: use poetry v1.8.1 (#560)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (6f81dfa)

Documentation

docs: update architecture description and examples (#550)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a19fd28)

docs: exclude internal docs from rendering (#545)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (7e55dfe)

Unknown

docs

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (63cff7e)

docs (#546)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b0e5b43)

v6.4.1 (2024-01-30)

Documentation

docs: ship docs with sdist build (#544)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (52ef01c)

docs: refactor example

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c1776b7)

Fix

fix: model.BomRef no longer equal to unset peers (#543)

fixes #539

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (1fd7fee)

v6.4.0 (2024-01-22)

Documentation

docs: add OpenSSF Best Practices shield (#532)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (59c4381)

Feature

feat: support py-serializable v1.0 (#531)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e1e7277)

v6.3.0 (2024-01-06)

Documentation

docs: add Documentation url to project meta

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (1080b73)

docs: add Documentation url to project meta

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c4288b3)

Feature

feat: enable dependency py-serializable 0.17 (#529)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (9f24220)

v6.2.0 (2023-12-31)

Build

build: allow additional major-version RC branch patterns

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (f8af156)

Documentation

docs: fix typo

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (2563996)

docs: update intro and description

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (f0bd05d)

docs: buld docs on ubuntu22.04 python311

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b3e9ab7)

Feature

feat: allow lxml requirement in range of >=4,<6 (#523)

Updates the requirements on lxml to permit the latest version.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: lxml dependency-type: direct:production ...

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (7d12b9a)

Unknown

docs

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (7dcd166)

v6.1.0 (2023-12-22)

Feature

feat: add function to map python hashlib algorithms to CycloneDX (#519)

new API: model.HashType.from_hashlib_alg()

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (81f8cf5)

v6.0.0 (2023-12-10)

Breaking

feat!: v6.0.0 (#492)

Breaking Changes

Removed symbols that were already marked as deprecated (via #493)
Removed symbols in parser.* (#489 via #495)
Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
Serialization of unsupported enum values might downgrade/migrate/omit them (#490 via #496)
Handling might raise warnings if a data loss occurred due to omitting.
The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered.
Serialization of any model.component.Component with unsupported type raises exception.serialization.SerializationOfUnsupportedComponentTypeException (#490 via #496)
Object model.bom_ref.BomRef's property value defaults to Null, was arbitrary UUID (#504 via #505)
This change does not affect serialization. All bom-refs are guaranteed to have unique values on rendering.
Removed helpers from public API (#503 via #506)

Added

Basic support for CycloneDX 1.5 (#404 via #488)
- No data models were enhanced nor added, yet.
  Pull requests to add functionality are welcome.
- Existing enumerable got new cases, to reflect features of CycloneDX 1.5 (#404 via #488)
- Outputters were enabled to render CycloneDX 1.5 (#404 via #488)

Tests

Created (regression/unit/integration/functional) tests for CycloneDX 1.5 (#404 via #488)
Created (regression/functional) tests for Enums' handling and completeness (#490 via #496)

Misc

Bumped dependency py-serializable@^0.16, was @^0.15 (via #496)

API Changes — the details for migration

Added new sub-package exception.serialization (via #496)
Removed class models.ComparableTuple (#503 via #506)
Enum model.ExternalReferenceType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
Removed function models.get_now_utc (#503 via #506)
Removed function models.sha1sum (#503 via #506)
Enum model.component.ComponentType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
Removed model.component.Component.__init__()'s deprecated optional kwarg namespace (via #493)
Use kwarg group instead.
Removed model.component.Component.__init__()'s deprecated optional kwarg license_str (via #493)
Use kwarg licenses instead.
Removed deprecated method model.component.Component.get_namespace() (via #493)
Removed class models.dependency.DependencyDependencies (#503 via #506)
Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg source_name (via #493)
Use kwarg source instead.
Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg source_url (via #493)
Use kwarg source instead.
Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg recommendations (via #493)
Use kwarg recommendation instead.
Removed model.vulnerability.VulnerabilityRating.__init__()'s deprecated optional kwarg score_base (via #493)
Use kwarg score instead.
Enum model.vulnerability.VulnerabilityScoreSource got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
Removed deprecated function output.get_instance() (via #493)
Use function output.make_outputter() instead.
Added new class output.json.JsonV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
Added new item to dict output.json.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
Added new class output.xml.XmlV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
Added new item to dict output.xml.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
Removed class parser.ParserWarning (#489 via #495)
Removed class parser.BaseParser (#489 via #495)
Enum schema.SchemaVersion got new case V1_5, to reflect CycloneDX 1.5 (#404 via #488)

Signed-off-by: Johannes Feichtner <johannes@web-wack.at> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: semantic-release <semantic-release> Co-authored-by: Johannes Feichtner <343448+Churro@users.noreply.github.com> Co-authored-by: semantic-release <semantic-release> (74865f8)

v5.2.0 (2023-12-02)

Documentation

docs: keywaords & funding (#486)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3189e59)

Feature

feat: model.XsUri migrate control characters according to spec (#498)

fixes #497

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e490429)

v5.1.1 (2023-11-02)

Fix

fix: update own externalReferences (#480)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (edb3dde)

v5.1.0 (2023-10-31)

Documentation

docs: advance license docs

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (f61a730)

Feature

feat: guarantee unique BomRefs in serialization result (#479)

Incorporate output.BomRefDiscriminator on serialization

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a648775)

v5.0.1 (2023-10-24)

Documentation

docs: revisit project meta (#475)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c3254d0)

docs: fix RTFD build (#476)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b9fcfb4)

Unknown

"chore(deps): revert bump python-semantic-release/python-semantic-release (#474)"

This reverts commit 9c3ffac34e89610ccc4f9701444127e1e6f5ee07.

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (aae7304)

v5.0.0 (2023-10-24)

Breaking

feat!: v5.0.0 (#440)

BREAKING CHANGES

Dropped support for python<3.8 (#436 via #441; enable #433)
Reworked license related models, collections, and factories (#365 via #466)
Behavior
- Method model.bom.Bom.validate() will throw exception.LicenseExpressionAlongWithOthersException, if detecting invalid license constellation (#453 via #452)
- Fixed tuple comparison when unequal lengths (via #461)
API
- Enum schema.SchemaVersion is no longer string-like (#442 via #447)
- Enum schema.OutputVersion is no longer string-like (#442 via #447)
- Abstract class output.BaseOutput requires implementation of new method output_format (#446 via #447)
- Abstract method output.BaseOutput.output_as_string() got new optional parameter indent (#437 via #458)
- Abstract method output.BaseOutput.output_as_string() accepts arbitrary kwargs (via #458, #462)
- Removed class factory.license.LicenseChoiceFactory (via #466)
  The old functionality was integrated into factory.license.LicenseFactory.
- Method factory.license.LicenseFactory.make_from_string()'s parameter name_or_spdx was renamed to value (via #466)
- Method factory.license.LicenseFactory.make_from_string()'s return value can also be a LicenseExpression (#365 via #466)
  The behavior imitates the old factory.license.LicenseChoiceFactory.make_from_string()
- Renamed class module.License to module.license.DisjunctliveLicense (#365 via #466)
- Removed class module.LicenseChoice (#365 via #466)
  Use dedicated classes module.license.DisjunctliveLicense and module.license.LicenseExpression instead
- All occurrences of models.LicenseChoice were replaced by models.licenses.License (#365 via #466)
- All occurrences of SortedSet[LicenseChoice] were specialized to models.license.LicenseRepository (#365 via #466)

Fixed

Serialization of multy-licenses (#365 via #466)
Detect unused "dependent" components in model.bom.validate() (via #464)

Changed

Updated latest supported list of supported SPDX license identifiers (via #433)
Shipped schema files are moved to a protected space (via #433)
These files were never intended for public use.
XML output uses a default namespace, which makes results smaller. (#438 via #458)

Added

Support for Python 3.12 (via #460)
JSON- & XML-Validators (#432, #446 via #433, #448)
The functionality might require additional dependencies, that can be installed with the extra "validation".
See the docs in section "Installation" for details.
JSON & XML can be generated in a more human-friendly form (#437, #438 via #458)
Type hints, typings & overloads for better integration downstream (via #463)
API
- New function output.make_outputter() (via #469)
  This replaces the deprecated function output.get_instance().
- New sub-package validation (#432, #446 via #433, #448, #469, #468, #469)
- New class exception.MissingOptionalDependencyException (#432 via #433)
- New class exception.LicenseExpressionAlongWithOthersException (#453 via #452)
- New dictionaries output.{json,xml}.BY_SCHEMA_VERSION (#446 via #447)
- Existing implementations of class output.BaseOutput now have a new method output_format (#446 via #447)
- Existing implementations of method output.BaseOutput.output_as_string() got new optional parameter indent (#437 via #458)
- Existing implementations of method output.BaseOutput.output_to_file() got new optional parameter indent (#437 via #458)
- New method factory.license.LicenseFactory.make_with_expression() (via #466)
- New class model.license.DisjunctiveLicense (#365 via #466)
- New class model.license.LicenseExpression (#365 via #466)
- New class model.license.LicenseRepository (#365 via #466)
- New class serialization.LicenseRepositoryHelper (#365 via #466)

Deprecated

Function output.get_instance() might be removed, use output.make_outputter() instead (via #469)

Tests

Added validation tests with official CycloneDX schema test data (#432 via #433)
Use proper snapshots, instead of pseudo comparison (#437 via #464)
Added regression test for bug #365 (via #466, #467)

Misc

Dependencies: bumped py-serializable@^0.15.0, was @^0.11.1 (via #458, #463, #464, #466)
Style: streamlined quotes and strings (via #472)
Chore: bumped internal dev- and QA-tools (#436 via #441, #472)
Chore: added more QA tools to prevent common security issues (via #473)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: Jan Kowalleck <jan.kowalleck@owasp.org> Signed-off-by: semantic-release <semantic-release> Co-authored-by: semantic-release <semantic-release> (26b151c)

v4.2.3 (2023-10-16)

Fix

fix: SPDX-expression-validation internal crashes are cought and handled (#471)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (5fa66a0)

v4.2.2 (2023-09-14)

Documentation

docs: fix shield in README

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (6a941b1)

docs(example): showcase LicenseChoiceFactory (#428)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c56ec83)

Fix

fix: ship meta files (#434)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3a1a8a5)

v4.2.1 (2023-09-06)

Fix

fix: LicenseChoiceFactory.make_from_string() prioritize SPDX id over expression (#427)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e1bdfdd)

v4.2.0 (2023-09-06)

Feature

feat: complete SPDX license expression (#425)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e06f9fd)

v4.1.0 (2023-08-27)

Documentation

docs(examples): showcase shorthand dependency management (#403)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (8b32efb)

Feature

feat: programmatic access to library's version (#417)

adds cyclonedx.__version__

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3585ea9)

v4.0.1 (2023-06-28)

Documentation

docs(examples): README (#399)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (1d262ba)

docs: add exaple how to build and serialize (#397)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (65e22bd)

Fix

fix: conditional warning if no root dependencies were found (#398)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c8175bb)

Unknown

4.0.1

Automatically generated by python-semantic-release (4a72f51)

Add missing space in warning message. (#364)

Signed-off-by: Michael Schlenker <michael.schlenker@contact-software.com> Co-authored-by: Michael Schlenker <michael.schlenker@contact-software.com> (dad0d28)

v4.0.0 (2023-03-20)

Breaking

feat: Release 4.0.0 #341)

Highlights of this release include:

Support for De-serialization from JSON and XML to this Pythonic Model
Deprecation of Python 3.6 support
Support for Python 3.11
Support for BomLink
Support VEX without needing Component in the same Bom
Support for services having dependencies

BREAKING CHANGE: Large portions of this library have been re-written for this release and many methods and contracts have changed.

Signed-off-by: Paul Horton <paul.horton@owasp.org>

feat: support VEX without Components in the same BOM

BREAKING CHANGE: Model classes changed to relocated Vulnerability at Bom, not at Component

Signed-off-by: Paul Horton <paul.horton@owasp.org>

feat: support VEX without Components in the same BOM

BREAKING CHANGE: Model classes changed to relocated Vulnerability at Bom, not at Component

Signed-off-by: Paul Horton <paul.horton@owasp.org>

feat: allow version of BOM to be defined

feat: allow serial_number of BOM to be prescribed

feat: add helper method to get URN for a BOM according to https://www.iana.org/assignments/urn-formal/cdx Signed-off-by: Paul Horton <paul.horton@owasp.org>

chore: fix release workflow
chore: editorconfig

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

feat: support for deserialization from JSON and XML (#290)

BREAKING CHANGE:

feat: drop Python 3.6 support

Signed-off-by: Hakan Dilek <hakandilek@gmail.com> Signed-off-by: Paul Horton <paul.horton@owasp.org> Co-authored-by: Hakan Dilek <hakandilek@gmail.com> Co-authored-by: Hakan Dilek <hakandilek@users.noreply.github.com>

fix: update serializable to include XML safety changes

Signed-off-by: Paul Horton <paul.horton@owasp.org>

feat: Support for Python 3.11 (#349)
feat: officially test and support Python 3.11

Signed-off-by: Paul Horton <paul.horton@owasp.org>

removed unused imports

Signed-off-by: Paul Horton <paul.horton@owasp.org>

bump poetry to 1.1.12 in CI

Signed-off-by: Paul Horton <paul.horton@owasp.org>

fix: remove toml as dependency as not used and seems to be breaking Python 3.11 CI

Signed-off-by: Paul Horton <paul.horton@owasp.org>

fix: removed types-toml from dependencies - not used

Signed-off-by: Paul Horton <paul.horton@owasp.org>

fix: removed autopep8 in favour of flake8 as both have conflicting dependencies now

Signed-off-by: Paul Horton <paul.horton@owasp.org>

chore: bump dev dependencies

fix: removed setuptools as dependency Signed-off-by: Paul Horton <paul.horton@owasp.org>

tests: compoennt versions optional (#350)
chore: exclude venv* from QA; add typing to QA

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

tests: component versions are optional

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

doc: doc updates for new deserialization feature

Signed-off-by: Paul Horton <paul.horton@owasp.org>

doc: doc updates for contribution

Signed-off-by: Paul Horton <paul.horton@owasp.org>

Signed-off-by: Paul Horton <paul.horton@owasp.org> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Signed-off-by: Hakan Dilek <hakandilek@gmail.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> Co-authored-by: Hakan Dilek <hakandilek@gmail.com> Co-authored-by: Hakan Dilek <hakandilek@users.noreply.github.com> (8fb1b14)

Unknown

4.0.0

Automatically generated by python-semantic-release (40fbfda)

v3.1.5 (2023-01-12)

Fix

fix: mak test's schema paths relative to cyclonedx package (#338)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (1f0c05f)

Unknown

3.1.5

Automatically generated by python-semantic-release (ba603cf)

v3.1.4 (2023-01-11)

Fix

fix(tests): include tests in sdist builds (#337)
feat: include tests in sdist builds for #336
delete unexpected DS_Store file

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (936ad7d)

Unknown

3.1.4

Automatically generated by python-semantic-release (0b19294)

v3.1.3 (2023-01-07)

Fix

fix: serialize dependency graph for nested components (#329)
tests: regression tests for issue #328
fix: for issue #328

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (fb3f835)

Unknown

3.1.3

Automatically generated by python-semantic-release (11a420c)

v3.1.2 (2023-01-06)

Documentation

docs: typo

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (539b57a)

docs: fix shields (#324)

caused by badges/shields#8671

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (555dad4)

docs: fix typo (#318)

Signed-off-by: Roland Weber <rolweber@de.ibm.com> (63bfb87)

Fix

fix: prevent errors on metadata handling for some specification versions (#330)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (f08a656)

Unknown

3.1.2

Automatically generated by python-semantic-release (0853d14)

clarify sign-off step (#319)

Signed-off-by: Roland Weber <rolweber@de.ibm.com> (007fb96)

v3.1.1 (2022-11-28)

Fix

fix: type hint for get_component_by_purl is incorrect

chore: force automated release Signed-off-by: Paul Horton <paul.horton@owasp.org> (3f20bf0)

Unknown

3.1.1

Automatically generated by python-semantic-release (503955e)

Merge pull request #310 from gruebel/fix-method-type-hint

fix: type hint for get_component_by_purl is incorrect (06037b9)

move tests to model bom file

Signed-off-by: gruebel <anton.gruebel@gmail.com> (4c8a3ab)

fix type hint for get_component_by_purl

Signed-off-by: gruebel <anton.gruebel@gmail.com> (735c05e)

v3.1.0 (2022-09-15)

Feature

feat: out-factor SPDX compund detection

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (fd4d537)

feat: out-factor SPDX compund detection

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (2b69925)

feat: license factories

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (033bad2)

Unknown

3.1.0

Automatically generated by python-semantic-release (e52c174)

Merge pull request #305 from CycloneDX/license-factories

feat: add license factories to more easily support creation of License or LicenseChoice from SPDX license strings #304 (5ff4494)

Merge pull request #301 from CycloneDX/fix-poetry-in-tox

chore: fix poetry in tox (92aea8d)

remove v3 from CHANGELOG #286 (#287)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (7029721)

3.0.0

Automatically generated by python-semantic-release (69582ff)

v2.7.1 (2022-08-01)

Fix

fix: pinned mypy <= 0.961 due to #278

Signed-off-by: Paul Horton <paul.horton@owasp.org> (d6955cb)

fix: properly support nested components and services #275

Signed-off-by: Paul Horton <paul.horton@owasp.org> (6597db7)

Unknown

Merge pull request #276 from CycloneDX/fix/bom-validation-nested-components-isue-275

fix: BOM validation fails when Components or Services are nested #275

fix: updated dependencies #271, #270, #269 and #256 (68a0cdd)

Merge branch 'main' into fix/bom-validation-nested-components-isue-275 (6caee65)
added tests to cover new Component.get_all_nested_components() method

Signed-off-by: Paul Horton <paul.horton@owasp.org> (75a77ed)

Revert "chore: re-added isort to pre-commit hooks"

This reverts commit f50ee1eb79f3f4e5b9d21824e64192d0af43d3f0.

Signed-off-by: Paul Horton <paul.horton@owasp.org> (5f7f30e)

removed tests where services are part of dependency tree - see #277

Signed-off-by: Paul Horton <paul.horton@owasp.org> (f26862b)

aded XML output tests for Issue #275

Signed-off-by: Paul Horton <paul.horton@owasp.org> (ebef5f2)

updated XML output tests

Signed-off-by: Paul Horton <paul.horton@owasp.org> (356c37e)

addressed JSON output for #275 including test addiitions

Signed-off-by: Paul Horton <paul.horton@owasp.org> (692c005)

v2.7.0 (2022-07-21)

Feature

feat: support for CycloneDX schema 1.4.2 - adds vulnerability.properties to the schema (32e7929)
feat: support for CycloneDX schema version 1.4.2

Provides support for vulnerability.properties

Signed-off-by: Paul Horton <paul.horton@owasp.org> (db7445c)

feat: added updated CycloneDX 1.4.2 schemas

Signed-off-by: Paul Horton <paul.horton@owasp.org> (7fb27ae)

Unknown

2.7.0

Automatically generated by python-semantic-release (96d155e)

v2.6.0 (2022-06-20)

Feature

feat: reduce unnessessarry type casting of set/SortedSet (#203)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (089d971)

Unknown

2.6.0

Automatically generated by python-semantic-release (8481e9b)

v2.5.2 (2022-06-15)

Fix

fix: add expected lower-than comparators for OrganizationalEntity and VulnerabilityCredits (#248)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (0046ee1)

Unknown

2.5.2

Automatically generated by python-semantic-release (fb9a796)

v2.5.1 (2022-06-10)

Fix

fix: add missing Vulnerability comparator for sorting (#246)

Partial fix for #245.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (c3f3d0d)

Unknown

2.5.1

Automatically generated by python-semantic-release (1ea5b20)

v2.5.0 (2022-06-10)

Build

build: move typing to dev-dependencies

Move types-setuptools and types-toml to dev-dependencies (#226)

Signed-off-by: Adam Johnson <me@adamj.eu> (0e2376b)

Documentation

docs: fix typo "This is out" -> "This is our"

Fix typo in comments: "This is out" -> "This is our" (#233)

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (ef0278a)

Feature

feat: use SortedSet in model to improve reproducibility - this will provide predictable ordering of various items in generated CycloneDX documents - thanks to @RodneyRichardson

Signed-off-by: Paul Horton <paul.horton@owasp.org> (8a1c404)

Unknown

2.5.0

Automatically generated by python-semantic-release (c820423)

Merge pull request #235 from RodneyRichardson/use-sorted-set

feat: use SortedSet in model to improve reproducibility - this will provide predictable ordering of various items in generated CycloneDX documents - thanks to @RodneyRichardson (c43f6d8)

Merge branch 'CycloneDX:main' into use-sorted-set (1b8ac25)
Fix SortedSet type hints for python < 3.8

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (71eeb4a)

Fix line length warning.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (e9ee712)

Fix more type hints for python < 3.8

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (f042bce)

Fix SortedSet type hints for python < 3.8

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (2e283ab)

Fix type hint on ComparableTuple

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (43ef908)

Sort usings.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (8f86c12)

Fix sonatype-lift warnings

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (f1e92e3)

Fix warnings.

Change tuple -> Tuple Fix Diff initialization Add sorting to AttachedText

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (2b47ff6)

Reduce sortedcontainers.pyi to only the functions used.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (ef0fbe2)

Remove flake8 warnings

Remove unused imports and trailing whitespace. Sort usings in pyi file.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (41d1bee)

Add type hints for SortedSet

Fix use of set/Set.

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (df0f554)

Replace object type hint in lt with Any

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (ec22f68)

Make reorder() return type explicit List (as flagged by sonatype-lift bot)

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (695ee86)

Use SortedSet in model to improve reproducibility

Added __lt__() to all model classes used in SortedSet, with tests Explicitly declared Enums as (str, Enum) to allow sorting Added dependency to sortedcollections package

Signed-off-by: Rodney Richardson <rodney.richardson@cambridgeconsultants.com> (368f522)

v2.4.0 (2022-05-17)

Feature

feat(deps): remove unused typing-extensions constraints

PullRequest and details via #224

Signed-off-by: gruebel <anton.gruebel@gmail.com> (2ce358a)

Unknown

2.4.0

Automatically generated by python-semantic-release (4874354)

revert types-toml on lowest setup (32ece98)

v2.3.0 (2022-04-20)

Feature

feat: add support for Dependency Graph in Model and output serialisation

Signed-off-by: Paul Horton <paul.horton@owasp.org> (ea34513)

Unknown

2.3.0

Automatically generated by python-semantic-release (5c1047a)

Merge pull request #210 from CycloneDX/feat/support-bom-dependencies

feat: add support for Dependency Graph in Model and output serialisation (JSON and XML) (938169c)

Merge pull request #214 from CycloneDX/feat/support-bom-dependencies-no-cast

no cast (2551545)

no cast

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (dec3b70)

update to use Set operators (more Pythonic)

Signed-off-by: Paul Horton <paul.horton@owasp.org> (f01665e)

missing closing > in BomRef.__repr__

Signed-off-by: Paul Horton <paul.horton@owasp.org> (2c7c4be)

removed unnecessary condition - self.get_bom().components is always a Set

Signed-off-by: Paul Horton <paul.horton@owasp.org> (5eb5669)

added additional tests to validate Component in Metadata is properly represented in Dependency Graph

Signed-off-by: Paul Horton <paul.horton@owasp.org> (b8d526e)

adjusted unit tests to account for inclusion of Component in Bom Metadata in Dependency Graphy

Signed-off-by: Paul Horton <paul.horton@owasp.org> (c605f2b)

updates based on feedback from @jkowalleck

Signed-off-by: Paul Horton <paul.horton@owasp.org> (04511f3)

Merge branch 'feat/support-bom-dependencies' of github.com:CycloneDX/cyclonedx-python-lib into feat/support-bom-dependencies (8fb408c)
doc: updated docs to reflect support for Dependency Graph

Signed-off-by: Paul Horton <paul.horton@owasp.org> (a680544)

updated file hash in test

Signed-off-by: Paul Horton <paul.horton@owasp.org> (56f3d5d)

removed unused import

Signed-off-by: Paul Horton <paul.horton@owasp.org> (61c3338)

doc: updated docs to reflect support for Dependency Graph

Signed-off-by: Paul Horton <paul.horton@owasp.org> (3df017f)

updated file hash in test

Signed-off-by: Paul Horton <paul.horton@owasp.org> (449cb1e)

removed unused import

Signed-off-by: Paul Horton <paul.horton@owasp.org> (f487c4a)

v2.2.0 (2022-04-12)

Feature

feat: Bump XML schemas to latest fix version for 1.2-1.4 - see: CycloneDX/specification#122

Signed-off-by: Paul Horton <phorton@sonatype.com> (bd2e756)

feat: bump JSON schemas to latest fix verison for 1.2 and 1.3 - see:

CycloneDX/specification#123
CycloneDX/specification#84
CycloneDX/specification#125

Signed-off-by: Paul Horton <phorton@sonatype.com> (bd6a088)

Unknown

2.2.0

Automatically generated by python-semantic-release (67ecfac)

Merge pull request #207 from CycloneDX/feat/update-schemas

feat: Update CycloneDX Schemas to latest patch versions (2c55cb5)

mark schema files as vendored

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a9c3e77)

Merge pull request #191 from CycloneDX/feat/pre-commit-hooks

[DEV] Add pre-commit hooks (91ceeb1)

v2.1.1 (2022-04-05)

Fix

fix: prevent error if version not set

Signed-off-by: Paul Horton <phorton@sonatype.com> (b9a84b5)

Unknown

2.1.1

Automatically generated by python-semantic-release (f78d608)

Merge pull request #194 from CycloneDX/fix/json-output-version-optional-bug-193

fix: version being optional in JSON output can raise error (6f7e09a)

v2.1.0 (2022-03-28)

Feature

feat: output errors are verbose

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (bfe8fb1)

Fix

fix: version being optional in JSON output can raise error

Signed-off-by: Paul Horton <phorton@sonatype.com> (ba0c82f)

Unknown

2.1.0

Automatically generated by python-semantic-release (c58f8f8)

Merge pull request #198 from CycloneDX/verbose_outout_errors

fix: improved output errors - file/directory is now included (4618c62)

updated to be more pythonic

Signed-off-by: Paul Horton <phorton@sonatype.com> (a1bbf00)

doc: added CONTRIBUTING to public docs doc: included pre-commit hooks in CONTRIBUTING

Signed-off-by: Paul Horton <phorton@sonatype.com> (f38215f)

Merge pull request #182 from CycloneDX/sort-imports

style: sort imports (aa37e56)

v2.0.0 (2022-02-21)

Breaking

feat: bump dependencies

BREAKING CHANGE: Adopt PEP-3102

BREAKING CHANGE: Optional Lists are now non-optional Sets

BREAKING CHANGE: Remove concept of DEFAULT schema version - replaced with LATEST schema version

BREAKING CHANGE: Added BomRef data type

Signed-off-by: Paul Horton <phorton@sonatype.com> (da3f0ca)

Feature

feat: completed work on #155 (#172)

fix: resolved #169 (part of #155) feat: as part of solving #155, #147 has been implemented

Signed-off-by: Paul Horton <phorton@sonatype.com> (a926b34)

feat: support complete model for bom.metadata (#162)
feat: support complete model for bom.metadata fix: JSON comparison in unit tests was broken chore: corrected some source license headers

Signed-off-by: Paul Horton <phorton@sonatype.com> (2938a6c)

feat: support for bom.externalReferences in JSON and XML #124

Signed-off-by: Paul Horton <phorton@sonatype.com> (1b733d7)

feat: Complete support for bom.components (#155)
fix: implemented correct __hash__ methods in models (#153)

Signed-off-by: Paul Horton <phorton@sonatype.com> (32c0139)

feat: support services in XML BOMs feat: support nested services in JSON and XML BOMs

Signed-off-by: Paul Horton <phorton@sonatype.com> (9edf6c9)

Fix

fix: license_url not serialised in XML output #179 (#180)

Signed-off-by: Paul Horton <phorton@sonatype.com> (f014d7c)

fix: Component.bom_ref is not Optional in our model implementation (in the schema it is) - we generate a UUID if bom_ref is not supplied explicitly

Signed-off-by: Paul Horton <phorton@sonatype.com> (5c954d1)

fix: temporary fix for __hash__ of Component with properties #153

Signed-off-by: Paul Horton <phorton@sonatype.com> (a51766d)

fix: further fix for #150

Signed-off-by: Paul Horton <phorton@sonatype.com> (1f55f3e)

fix: regression introduced by first fix for #150

Signed-off-by: Paul Horton <phorton@sonatype.com> (c09e396)

fix: Components with no version (optional since 1.4) produce invalid BOM output in XML #150

Signed-off-by: Paul Horton <phorton@sonatype.com> (70d25c8)

fix: expression not supported in Component Licsnes for version 1.0

Signed-off-by: Paul Horton <phorton@sonatype.com> (15b081b)

Unknown

2.0.0

Automatically generated by python-semantic-release (a4af3dc)

Merge pull request #148 from CycloneDX/feat/add-bom-services (631e400)
Merge branch 'main' into feat/add-bom-services (9a32351)
doc: added RTD badge to README

Signed-off-by: Paul Horton <phorton@sonatype.com> (b20d9d1)

implemented __str__ for BomRef

Signed-off-by: Paul Horton <phorton@sonatype.com> (670bde4)

Continuation of #170 - missed updating Vulnerability to use BomRef (#175)
BREAKING CHANGE: added new model BomRef unlocking logic later to ensure uniquness and dependency references

Signed-off-by: Paul Horton <phorton@sonatype.com>

updated Vulnerability to also use new BomRef model

Signed-off-by: Paul Horton <phorton@sonatype.com> (0d82c01)

BREAKING CHANGE: added new model BomRef unlocking logic later to ensure uniquness and dependency references (#174)

Signed-off-by: Paul Horton <phorton@sonatype.com> (d189f2c)

BREAKING CHANGE: replaced concept of default schema version with latest supported #171 (#173)

Signed-off-by: Paul Horton <phorton@sonatype.com> (020fcf0)

BREAKING CHANGE: Updated default schema version to 1.4 from 1.3 (#164)

Signed-off-by: Paul Horton <phorton@sonatype.com> (9b6ce4b)

BREAKING CHANGE: update models to use Set rather than List (#160)
BREAKING CHANGE: update models to use Set and Iterable rather than List[..] BREAKING CHANGE: update final models to use @property wip

Signed-off-by: Paul Horton <phorton@sonatype.com> (142b8bf)

removed unnecessary calls to hash() in __hash__() methods as pointed out by @jkowalleck

Signed-off-by: Paul Horton <phorton@sonatype.com> (0f1fd6d)

BREAKING CHANGE: adopted PEP-3102 for model classes (#158)

Signed-off-by: Paul Horton <phorton@sonatype.com> (b3c8d9a)

doc: added page to docs to call out which parts of the specification this library supports

Signed-off-by: Paul Horton <phorton@sonatype.com> (41a4be0)

attempt to resolve Lift finding

Signed-off-by: Paul Horton <phorton@sonatype.com> (2090c08)

removed unused imports

Signed-off-by: Paul Horton <phorton@sonatype.com> (a35d540)

WIP on bom.services
WIP but a lil hand up for @madpah

Signed-off-by: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com>

chore: added missing license header

Signed-off-by: Paul Horton <phorton@sonatype.com>

No default values for required fields
Add Services to BOM
Typo fix
aligned classes with standards, commented out Signature work for now, added first tests for Services

Signed-off-by: Paul Horton <phorton@sonatype.com>

addressed standards

Signed-off-by: Paul Horton <phorton@sonatype.com>

1.2.0

Automatically generated by python-semantic-release

Signed-off-by: Paul Horton <phorton@sonatype.com>

feat: bom-ref for Component and Vulnerability default to a UUID (#142)
feat: bom-ref for Component and Vulnerability default to a UUID if not supplied ensuring they have a unique value #141

Signed-off-by: Paul Horton <phorton@sonatype.com>

doc: updated documentation to reflect change

Signed-off-by: Paul Horton <phorton@sonatype.com>

patched other tests to support UUID for bom-ref

Signed-off-by: Paul Horton <phorton@sonatype.com>

better syntax

Signed-off-by: Paul Horton <phorton@sonatype.com>

1.3.0

Automatically generated by python-semantic-release

Signed-off-by: Paul Horton <phorton@sonatype.com>

WIP but a lil hand up for @madpah

Signed-off-by: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com> Signed-off-by: Paul Horton <phorton@sonatype.com>

chore: added missing license header

Signed-off-by: Paul Horton <phorton@sonatype.com>

aligned classes with standards, commented out Signature work for now, added first tests for Services

Signed-off-by: Paul Horton <phorton@sonatype.com>

removed signature from this branch

Signed-off-by: Paul Horton <phorton@sonatype.com>

Add Services to BOM
Typo fix
addressed standards

Signed-off-by: Paul Horton <phorton@sonatype.com>

resolved typing issues from merge

Signed-off-by: Paul Horton <phorton@sonatype.com>

added a bunch more tests for JSON output

Signed-off-by: Paul Horton <phorton@sonatype.com>

Co-authored-by: Paul Horton <phorton@sonatype.com> Co-authored-by: github-actions <action@github.com> (b45ff18)

v1.3.0 (2022-01-24)

Feature

feat: bom-ref for Component and Vulnerability default to a UUID (#142)
feat: bom-ref for Component and Vulnerability default to a UUID if not supplied ensuring they have a unique value #141

Signed-off-by: Paul Horton <phorton@sonatype.com>

doc: updated documentation to reflect change

Signed-off-by: Paul Horton <phorton@sonatype.com>

patched other tests to support UUID for bom-ref

Signed-off-by: Paul Horton <phorton@sonatype.com>

better syntax

Signed-off-by: Paul Horton <phorton@sonatype.com> (3953bb6)

Unknown

1.3.0

Automatically generated by python-semantic-release (4178181)

v1.2.0 (2022-01-24)

Feature

feat: add CPE to component (#138)
Added CPE to component

Setting CPE was missing for component, now it is possible to set CPE and output CPE for a component.

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

Fixing problems with CPE addition

Fixed styling errors
Added reference to CPE Spec
Adding CPE parameter as last parameter to not break arguments

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

Again fixes for Style and CPE reference

Missing in the last commit

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

Added CPE as argument before deprecated arguments

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

Added testing for CPE addition and error fixing

Added output tests for CPE in XML and JSON
Fixes style error in components
Fixes order for CPE output in XML (CPE has to come before PURL)

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

Fixed output tests

CPE was still in the wrong position in one of the tests - fixed

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

Fixed minor test fixtures issues

cpe was still in wrong position in 1.2 JSON
Indentation fixed in 1.4 JSON

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com>

Fixed missing comma in JSON 1.2 test file

Signed-off-by: Jens Lucius <jens.lucius@de.bosch.com> (269ee15)

Unknown

1.2.0

Automatically generated by python-semantic-release (97c215c)

v1.1.1 (2022-01-19)

Fix

fix: bump dependencies (#136)

Signed-off-by: Paul Horton <phorton@sonatype.com> (18ec498)

Unknown

1.1.1

Automatically generated by python-semantic-release (dec63de)

v1.1.0 (2022-01-13)

Feature

feat: add support for bom.metadata.component (#118)
Add support for metadata component

Part of #6

Signed-off-by: Artem Smotrakov <asmotrakov@riotgames.com>

Better docs and simpler ifs

Signed-off-by: Artem Smotrakov <asmotrakov@riotgames.com> (1ac31f4)

Unknown

1.1.0

Automatically generated by python-semantic-release (d4007bd)

v1.0.0 (2022-01-13)

Unknown

Manually generated release (3509fb6)
Support for CycloneDX schema version 1.4 (#108)

BREAKING CHANGE: Support for CycloneDX 1.4. This includes:

Support for tools having externalReferences
Allowing version for a Component to be optional in 1.4
Support for releaseNotes per Component
Support for the core schema implementation of Vulnerabilities (VEX)

Other changes included in this PR:

Unit tests now include schema validation (we've left schema validation out of the core library due to dependency bloat)
Fixes to ensure schema is adhered to in 1.0
URI's are now used throughout the library through a new XsUri class to provide URI validation
Documentation is now hosted on readthedocs.org (https://cyclonedx-python-library.readthedocs.io/)
$schema is now included in JSON BOMs
Concrete Parsers how now been moved into downstream projects to keep this libraries focus on modelling and outputting CycloneDX - see https://github.com/CycloneDX/cyclonedx-python
Added reference to release of this library on Anaconda

Signed-off-by: Paul Horton <phorton@sonatype.com>

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Co-authored-by: Paul Horton <phorton@sonatype.com>

Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> (7fb6da9)

Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib (d26970b)
Update CONTRIBUTING.md (4448d9b)

v0.12.3 (2021-12-15)

Fix

fix: removed requirements-parser as dependency (temp) as not available for Python 3 as Wheel (#98)

Signed-off-by: Paul Horton <phorton@sonatype.com> (3677d9f)

Unknown

0.12.3

Automatically generated by python-semantic-release (cfc9d38)

v0.12.2 (2021-12-09)

Fix

fix: tightened dependency packageurl-python (#95)

fixes #94

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (eb4ae5c)

Unknown

0.12.2

Automatically generated by python-semantic-release (54b9f74)

v0.12.1 (2021-12-09)

Fix

fix: further loosened dependency definitions

see #44

updated some locked dependencies to latest versions

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (8bef6ec)

Unknown

0.12.1

Automatically generated by python-semantic-release (43fc36e)

v0.12.0 (2021-12-09)

Feature

feat: loosed dependency versions to make this library more consumable
feat: lowering minimum dependency versions

Signed-off-by: Paul Horton <phorton@sonatype.com>

feat: lowering minimum dependency versions

Signed-off-by: Paul Horton <phorton@sonatype.com>

feat: lowering minimum dependency versions - importlib-metadata raising minimum to ensure we get a typed library

Signed-off-by: Paul Horton <phorton@sonatype.com>

feat: lowering minimum dependency versions - importlib-metadata raising minimum to ensure we get a typed library

Signed-off-by: Paul Horton <phorton@sonatype.com>

feat: lowering minimum version for importlib-metadata to 3.4.0 with modified import statement

Signed-off-by: Paul Horton <phorton@sonatype.com> (55f10fb)

Unknown

0.12.0

Automatically generated by python-semantic-release (1a907ea)

Merge pull request #88 from CycloneDX/contributing-file

initial CONTRIBUTING file (20035bb)

initial CONTRIBUTING file

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (6ffe14d)

CHORE: poetry(deps): bump filelock from 3.3.2 to 3.4.0

poetry(deps): bump filelock from 3.3.2 to 3.4.0 (e144aa2)

CHORE: poetry(deps): bump types-setuptools from 57.4.2 to 57.4.4

poetry(deps): bump types-setuptools from 57.4.2 to 57.4.4 (5fcdcb7)

poetry(deps): bump filelock from 3.3.2 to 3.4.0

Bumps filelock from 3.3.2 to 3.4.0.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: filelock dependency-type: indirect update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (8d4520e)

CHORE: poetry(deps-dev): bump flake8-bugbear from 21.9.2 to 21.11.29

poetry(deps-dev): bump flake8-bugbear from 21.9.2 to 21.11.29 (fc6e3ac)

poetry(deps): bump types-setuptools from 57.4.2 to 57.4.4

Bumps types-setuptools from 57.4.2 to 57.4.4.

Release notes
Commits

updated-dependencies:

dependency-name: types-setuptools dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (00dcbb8)

CHORE: poetry(deps): bump importlib-metadata from 4.8.1 to 4.8.2

poetry(deps): bump importlib-metadata from 4.8.1 to 4.8.2 (28f9676)

poetry(deps-dev): bump flake8-bugbear from 21.9.2 to 21.11.29

Bumps flake8-bugbear from 21.9.2 to 21.11.29.

Release notes
Commits

updated-dependencies:

dependency-name: flake8-bugbear dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (1eec2e8)

CHORE: poetry(deps-dev): bump coverage from 6.1.2 to 6.2

poetry(deps-dev): bump coverage from 6.1.2 to 6.2 (bdd9365)

CHORE: poetry(deps): bump mako from 1.1.5 to 1.1.6

poetry(deps): bump mako from 1.1.5 to 1.1.6 (33d3ecc)

poetry(deps-dev): bump coverage from 6.1.2 to 6.2

Bumps coverage from 6.1.2 to 6.2.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: coverage dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (be1af9b)

DOCS: fix README shields & links (43b1121)
doc: readme maintenance - shields & links (#72)
README: restructure links

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

README: add lan to fenced code blocks

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

README: fix some formatting

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

README: modernized shields

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

README: harmonize links

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

README: add language to code fences

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

README: markdown fixes

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

README: removed py version shield

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3d0ea2f)

poetry(deps): bump mako from 1.1.5 to 1.1.6

Bumps mako from 1.1.5 to 1.1.6.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: mako dependency-type: indirect update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (3344b86)

Merge pull request #47 from CycloneDX/dependabot/pip/filelock-3.3.2

poetry(deps): bump filelock from 3.3.1 to 3.3.2 (3f967b3)

FIX: update Conda package parsing to handle build containing underscore (#66)
fix: update conda package parsing to handle build containing underscore

Signed-off-by: Paul Horton <phorton@sonatype.com>

updated some typings

Signed-off-by: Paul Horton <phorton@sonatype.com> (2c6020a)

poetry(deps): bump importlib-metadata from 4.8.1 to 4.8.2

Bumps importlib-metadata from 4.8.1 to 4.8.2.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: importlib-metadata dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (003f6b4)

poetry(deps): bump filelock from 3.3.1 to 3.3.2

Bumps filelock from 3.3.1 to 3.3.2.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: filelock dependency-type: indirect update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (55022b7)

Merge pull request #45 from CycloneDX/dependabot/pip/importlib-resources-5.4.0

poetry(deps): bump importlib-resources from 5.3.0 to 5.4.0 (b8acf9f)

Merge pull request #70 from CycloneDX/dependabot/pip/pyparsing-3.0.6

poetry(deps): bump pyparsing from 3.0.5 to 3.0.6 (faa8628)

Merge pull request #69 from CycloneDX/dependabot/pip/coverage-6.1.2

poetry(deps-dev): bump coverage from 6.1.1 to 6.1.2 (eba56dc)

poetry(deps): bump pyparsing from 3.0.5 to 3.0.6

Bumps pyparsing from 3.0.5 to 3.0.6.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: pyparsing dependency-type: indirect update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (4f2b2d8)

poetry(deps-dev): bump coverage from 6.1.1 to 6.1.2

Bumps coverage from 6.1.1 to 6.1.2.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: coverage dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] <support@github.com> (1d0f5ea)

v0.11.1 (2021-11-10)

Fix

fix: constructor for Vulnerability to correctly define ratings as optional

Signed-off-by: William Woodruff <william@trailofbits.com> (395a0ec)

Unknown

0.11.1

Automatically generated by python-semantic-release (a80f87a)

FEAT: Support Python 3.10 (#64)
fix: tested with Python 3.10

Signed-off-by: Paul Horton <phorton@sonatype.com>

added trove classifier for Python 3.10

Signed-off-by: Paul Horton <phorton@sonatype.com>

fix: upgrade Poetry version to workaround issue between Poetry and Python 3.10 (see: python-poetry/poetry#4210)

Signed-off-by: Paul Horton <phorton@sonatype.com> (385b835)

poetry(deps): bump importlib-resources from 5.3.0 to 5.4.0

Bumps importlib-resources from 5.3.0 to 5.4.0.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: importlib-resources dependency-type: indirect update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (a1dd775)

v0.11.0 (2021-11-10)

Feature

feat: Typing & PEP 561
adde file for type checkers according to PEP 561

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

added static code analysis as a dev-test

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

added the "typed" trove

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

added flake8-annotations to the tests

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

added type hints

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

further typing updates

Signed-off-by: Paul Horton <phorton@sonatype.com>

further typing additions and test updates

Signed-off-by: Paul Horton <phorton@sonatype.com>

further typing

Signed-off-by: Paul Horton <phorton@sonatype.com>

further typing - added type stubs for toml and setuptools

Signed-off-by: Paul Horton <phorton@sonatype.com>

further typing

Signed-off-by: Paul Horton <phorton@sonatype.com>

typing work

Signed-off-by: Paul Horton <phorton@sonatype.com>

coding standards

Signed-off-by: Paul Horton <phorton@sonatype.com>

fixed tox and mypy running in correct python version

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

supressed mypy for cyclonedx.utils.conda.parse_conda_json_to_conda_package

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

fixed type hints

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

fixed some typing related flaws

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

added flake8-bugbear for code analysis

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Co-authored-by: Paul Horton <phorton@sonatype.com> (9144765)

Unknown

0.11.0

Automatically generated by python-semantic-release (7262783)

Merge pull request #41 from jkowalleck/improv-abstract

fixed some abstract definitions (f34e2c2)

Merge pull request #42 from jkowalleck/improv-pipenv

slacked pipenv parser (08bc4ab)

Merge pull request #43 from jkowalleck/improv-conda-typehints

fixed typehints/docs in _BaseCondaParser (931016d)

Merge pull request #54 from jkowalleck/create-CODEOWNERS

created CODEOWNERS (7f28bef)

Merge pull request #56 from CycloneDX/dependabot/pip/py-1.11.0

poetry(deps): bump py from 1.10.0 to 1.11.0 (f1cda3c)

Merge pull request #58 from CycloneDX/dependabot/pip/pyparsing-3.0.5

poetry(deps): bump pyparsing from 2.4.7 to 3.0.5 (0525439)

Merge pull request #19 from CycloneDX/dependabot/pip/zipp-3.6.0

poetry(deps): bump zipp from 3.5.0 to 3.6.0 (c54c968)

poetry(deps): bump py from 1.10.0 to 1.11.0

Bumps py from 1.10.0 to 1.11.0.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: py dependency-type: indirect update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (330711f)

Merge pull request #57 from CycloneDX/dependabot/pip/coverage-6.1.1

poetry(deps-dev): bump coverage from 5.5 to 6.1.1 (fa55e5c)

poetry(deps): bump pyparsing from 2.4.7 to 3.0.5

Bumps pyparsing from 2.4.7 to 3.0.5.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: pyparsing dependency-type: indirect update-type: version-update:semver-major ...

Signed-off-by: dependabot[bot] <support@github.com> (3bedaff)

Merge pull request #55 from CycloneDX/dependabot/pip/virtualenv-20.10.0

poetry(deps): bump virtualenv from 20.8.1 to 20.10.0 (4c3df85)

CI/CT runs on main & master branch (2d0df7b)
poetry(deps-dev): bump coverage from 5.5 to 6.1.1

Bumps coverage from 5.5 to 6.1.1.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: coverage dependency-type: direct:development update-type: version-update:semver-major ...

Signed-off-by: dependabot[bot] <support@github.com> (e322d74)

poetry(deps): bump virtualenv from 20.8.1 to 20.10.0

Bumps virtualenv from 20.8.1 to 20.10.0.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: virtualenv dependency-type: indirect update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (3927cdc)

created CODEOWNERS

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e8e499c)

fixed typehints/docs in _BaseCondaParser

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (af6ddfd)

slacked pipenv parser

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a3572ba)

fixed some abstract definitions

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (9e67998)

v0.10.2 (2021-10-21)

Fix

fix: correct way to write utf-8 encoded files

Signed-off-by: Paul Horton <phorton@sonatype.com> (49f9369)

Unknown

0.10.2

Automatically generated by python-semantic-release (79538e9)

v0.10.1 (2021-10-21)

Fix

fix: ensure output to file is UTF-8

Signed-off-by: Paul Horton <phorton@sonatype.com> (a10da20)

fix: ensure output to file is UTF-8

Signed-off-by: Paul Horton <phorton@sonatype.com> (193bf64)

Unknown

0.10.1

Automatically generated by python-semantic-release (e6451a3)

Merge pull request #40 from CycloneDX/fix/issue-39-windows-UnicodeEncodeError

FIX: Resolve file encoding issues on Windows (48329e0)

remove memoryview from sha1 file hashing

Signed-off-by: Paul Horton <phorton@sonatype.com> (a56be0f)

added debug to CI to aid understanding of miss matching SHA1 hashes on Windows

Signed-off-by: Paul Horton <phorton@sonatype.com> (10c6b51)

v0.10.0 (2021-10-20)

Feature

feat: add support for Conda

Signed-off-by: Paul Horton <phorton@sonatype.com> (bd29c78)

Unknown

0.10.0

Automatically generated by python-semantic-release (eea3598)

Merge pull request #38 from CycloneDX/feat/conda-support

feat: add support for Conda (ee5d36d)

add support pre Python 3.8

Signed-off-by: Paul Horton <phorton@sonatype.com> (2d01116)

doc: updated documentation with Conda support (and missed updates for externalReferences)

Signed-off-by: Paul Horton <phorton@sonatype.com> (57e9dc7)

v0.9.1 (2021-10-19)

Fix

fix: missing check for Classifiers in Environment Parser

Signed-off-by: Paul Horton <phorton@sonatype.com> (b7fa38e)

Unknown

0.9.1

Automatically generated by python-semantic-release (f132c92)

Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib (51a1e50)

v0.9.0 (2021-10-19)

Feature

feat: add support for parsing package licenses when using the Environment Parsers

Signed-off-by: Paul Horton <phorton@sonatype.com> (c414eaf)

Unknown

0.9.0

Automatically generated by python-semantic-release (ad65564)

Merge pull request #36 from CycloneDX/feat/add-license-support

Add support for parsing package licenses from installed packages (d45f75b)

v0.8.3 (2021-10-14)

Fix

fix: coding standards violations

Signed-off-by: Paul Horton <phorton@sonatype.com> (00cd1ca)

fix: handle Pipfile.lock dependencies without an index specified fix: multiple fixes in variable scoping to prevent accidental data sharing

Signed-off-by: Paul Horton <phorton@sonatype.com> (26c62fb)

Unknown

0.8.3

Automatically generated by python-semantic-release (91f9a8b)

Merge pull request #34 from CycloneDX/fix/issue-33-pipfile-lock-parse-failure

BUG: Fixe for Pipfile.lock parsing + accidental data sharing issues identified during testing (4079323)

v0.8.2 (2021-10-14)

Fix

fix: add namespace and subpath support to Component to complete PackageURL Spec support

Signed-off-by: Paul Horton <phorton@sonatype.com> (780adeb)

Unknown

0.8.2

Automatically generated by python-semantic-release (298318f)

Merge pull request #32 from CycloneDX/feat/full-packageurl-support

Add namespace and subpath support to Component (bb3af91)

v0.8.1 (2021-10-12)

Fix

fix: multiple hashes being created for an externalRefernce which is not as required

Signed-off-by: Paul Horton <phorton@sonatype.com> (970d192)

Unknown

0.8.1

Automatically generated by python-semantic-release (70689a2)

v0.8.0 (2021-10-12)

Feature

feat: add support for externalReferneces for Components and associated enhancements to parsers to obtain information where possible/known

Signed-off-by: Paul Horton <phorton@sonatype.com> (a152852)

Unknown

0.8.0

Automatically generated by python-semantic-release (7a49f9d)

Merge pull request #29 from CycloneDX/feat/component-external-references

FEATURE: Add support for externalReferences against Components (bdee0ea)

doc: notable improvements to API documentation generation (added search, branding, a little styling)

Signed-off-by: Paul Horton <phorton@sonatype.com> (e7a5b5a)

v0.7.0 (2021-10-11)

Feature

feat: support for pipenv.lock file parsing

Signed-off-by: Paul Horton <phorton@sonatype.com> (68a2dff)

Unknown

0.7.0

Automatically generated by python-semantic-release (827bd1c)

Merge pull request #27 from CycloneDX/feat/add-pipenv-support

FEATURE: Add Pipfile.lock (pipenv) support (2c42e2a)

doc: updated README.md to include Pipfile.lock parsing

Signed-off-by: Paul Horton <phorton@sonatype.com> (2c66834)

v0.6.2 (2021-10-11)

Fix

fix: added ability to add tools in addition to this library when generating CycloneDX + plus fixes relating to multiple BOM instances

Signed-off-by: Paul Horton <phorton@sonatype.com> (e03a25c)

Unknown

0.6.2

Automatically generated by python-semantic-release (e68fbc2)

Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib (2bf2711)

v0.6.1 (2021-10-11)

Fix

fix: better methods for checking if a Component is already represented in the BOM, and the ability to get the existing instance

Signed-off-by: Paul Horton <phorton@sonatype.com> (5fee85f)

Unknown

0.6.1

Automatically generated by python-semantic-release (c530460)

Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib (eb3a46b)

v0.6.0 (2021-10-11)

Feature

feat: helper method for representing a File as a Component taking into account versioning for files as per CycloneDX/cyclonedx.org#34

Signed-off-by: Paul Horton <phorton@sonatype.com> (7e0fb3c)

feat: support for non-PyPi Components - PackageURL type is now definable when creating a Component

Signed-off-by: Paul Horton <phorton@sonatype.com> (fde79e0)

Unknown

0.6.0

Automatically generated by python-semantic-release (907cd2d)

Merge pull request #25 from CycloneDX/feat/additions-to-enable-integration-into-checkov

Support for representing File as Component (63a86b0)

v0.5.0 (2021-10-11)

Build

build: updated dependencies, moved pdoc3 to a dev dependency

Signed-off-by: Paul Horton <phorton@sonatype.com> (6a9947d)

Feature

feat: add support for tool(s) that generated the SBOM

Signed-off-by: Paul Horton <phorton@sonatype.com> (7d1e6ef)

Fix

fix: bumped a dependency version

Signed-off-by: Paul Horton <phorton@sonatype.com> (efc1053)

Unknown

0.5.0

Automatically generated by python-semantic-release (a655d29)

Merge pull request #20 from CycloneDX/feat/additional-metadata

feat: add support for tool(s) that generated the SBOM (b33cbf4)

fix for Pytho< 3.8 support in tests

Signed-off-by: Paul Horton <phorton@sonatype.com> (c9b6019)

ensure support for Python < 3.8

Signed-off-by: Paul Horton <phorton@sonatype.com> (53a82cf)

ensure support for Python < 3.8

Signed-off-by: Paul Horton <phorton@sonatype.com> (2a9e56a)

doc: added documentation

Signed-off-by: Paul Horton <phorton@sonatype.com> (cf13c68)

poetry(deps): bump zipp from 3.5.0 to 3.6.0

Bumps zipp from 3.5.0 to 3.6.0.

Release notes
Changelog
Commits

updated-dependencies:

dependency-name: zipp dependency-type: indirect update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] <support@github.com> (30f2547)

doc: bumped gh-action for publishing docs

Signed-off-by: Paul Horton <phorton@sonatype.com> (ac70eee)

doc: added documentation to model/bom

Signed-off-by: Paul Horton <phorton@sonatype.com> (fe98ada)

doc: formatting

Signed-off-by: Paul Horton <phorton@sonatype.com> (1ad7fb1)

doc: added missing docstrings to allow documentation to generate

Signed-off-by: Paul Horton <phorton@sonatype.com> (ed743d9)

Merge pull request #10 from coderpatros/docs

Add initial doc generation and publishing (7873ad9)

v0.4.1 (2021-09-27)

Build

build: dependencies updated

Signed-off-by: Paul Horton <phorton@sonatype.com> (0411826)

Fix

fix: improved handling for requirements.txt content without pinned or declared versions

Signed-off-by: Paul Horton <phorton@sonatype.com> (7f318cb)

Unknown

0.4.1

Automatically generated by python-semantic-release (d5b7a2f)

Merge pull request #15 from CycloneDX/fix/issue-14-requirements-unpinned-versions

fix: improved handling for requirements.txt content without pinned … (f248015)

Add initial doc generation and publishing

Signed-off-by: Patrick Dwyer <patrick.dwyer@owasp.org> (cd1b558)

v0.4.0 (2021-09-16)

Feature

feat: support for localising vectors (i.e. stripping out any scheme prefix)

Signed-off-by: Paul Horton <phorton@sonatype.com> (b9e9e17)

feat: helper methods for deriving Severity and SourceType

Signed-off-by: Paul Horton <phorton@sonatype.com> (6a86ec2)

Fix

fix: removed print call

Signed-off-by: Paul Horton <phorton@sonatype.com> (8806553)

fix: relaxed typing of parameter to be compatible with Python < 3.9

Signed-off-by: Paul Horton <phorton@sonatype.com> (f9c7990)

fix: removed print call

Signed-off-by: Paul Horton <phorton@sonatype.com> (d272d2e)

fix: remove unused commented out code

Signed-off-by: Paul Horton <phorton@sonatype.com> (ba4f285)

Unknown

0.4.0

Automatically generated by python-semantic-release (f441413)

v0.3.0 (2021-09-15)

Feature

feat: adding support for extension schema that descriptions vulnerability disclosures

Signed-off-by: Paul Horton <phorton@sonatype.com> (d496695)

Unknown

0.3.0

Automatically generated by python-semantic-release (a5c3dab)

Merge pull request #5 from CycloneDX/feat/support-schema-extension-vulnerability-1.0

FEATURE: add support for Vulnerability Disclosures (6914272)

doc: updated README to explain support for Vulnerability Disclosures

Signed-off-by: Paul Horton <phorton@sonatype.com> (f477bf0)

v0.2.0 (2021-09-14)

Feature

feat: added helper method to return a PackageURL object representing a Component

Signed-off-by: Paul Horton <phorton@sonatype.com> (367bef1)

Fix

fix: whitespace on empty line removed

Signed-off-by: Paul Horton <phorton@sonatype.com> (cfc952e)

Unknown

0.2.0

Automatically generated by python-semantic-release (866eda7)

Merge pull request #4 from CycloneDX/feat/component-as-packageurl

fix: whitespace on empty line removed (ddc37f3)

Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib (6142d2e)

v0.1.0 (2021-09-13)

Feature

feat: add poetry support

Signed-off-by: Paul Horton <phorton@sonatype.com> (f3ac42f)

Unknown

0.1.0

Automatically generated by python-semantic-release (0da668f)

Merge pull request #3 from CycloneDX/feat/poetry-lock-support

FEATURE: Adde poetry.lock parser support (37ba7c6)

feat(parser) - added support for parsing dependencies from poetry.lock files.

Signed-off-by: Paul Horton <phorton@sonatype.com> (15bc553)

fix(parser) parsers were able to share state unexpectedly

Signed-off-by: Paul Horton <phorton@sonatype.com> (dc59914)

v0.0.11 (2021-09-10)

Fix

fix(test): test was not updated for revised author statement

Signed-off-by: Paul Horton <phorton@sonatype.com> (d1c9d37)

fix(build): test failure and dependency missing

Fixed failing tests due to dependency on now removed VERSION file Added flake8 officially as a DEV dependency to poetry

Signed-off-by: Paul Horton <phorton@sonatype.com> (9a2cfe9)

fix(build): removed artefacts associtated with non-poetry build

Tidied up project to remove items associated with non-Poetry build process. Also aligned a few references in README to new home of this project under CycloneDX.

Signed-off-by: Paul Horton <phorton@sonatype.com> (f9119d4)

Unknown

0.0.11

Automatically generated by python-semantic-release (1c0aa71)

Merge pull request #2 from CycloneDX/fix/tidy-up-build-remove-pip

fix(build): removed artefacts associated with non-poetry build (b7de7b3)

v0.0.10 (2021-09-08)

Fix

fix: add in pypi badge (6098c36)

Unknown

0.0.10

Automatically generated by python-semantic-release (245d809)

v0.0.9 (2021-09-08)

Fix

fix: additional info to poetry, remove circleci (2fcfa5a)

Unknown

0.0.9

Automatically generated by python-semantic-release (e4a90cf)

Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib into main (69aaba5)

v0.0.8 (2021-09-08)

Fix

fix: initial release to pypi, tell poetry to include cyclonedx package (a030177)

Unknown

0.0.8

Automatically generated by python-semantic-release (fc3f24c)

Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib into main (da2d18c)

v0.0.7 (2021-09-08)

Fix

fix: release with full name (4c620ed)

Unknown

0.0.7

Automatically generated by python-semantic-release (19943e8)

v0.0.6 (2021-09-08)

Fix

fix: initial release to pypi (99687db)

Unknown

0.0.6

Automatically generated by python-semantic-release (98ad249)

Switch to using action (cce468a)

v0.0.5 (2021-09-08)

Unknown

0.0.5

Automatically generated by python-semantic-release (9bf4b9a)

Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib into main (eeec0bb)
Try this on for size (aa93310)

v0.0.4 (2021-09-08)

Unknown

0.0.4

Automatically generated by python-semantic-release (b16d6c5)

Use python3 to install (4c810e1)

v0.0.3 (2021-09-08)

Unknown

0.0.3

Automatically generated by python-semantic-release (05306ee)

Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib into main (f1d120c)
Bump up version of poetry (89db268)

v0.0.2 (2021-09-08)

Unknown

0.0.2

Automatically generated by python-semantic-release (e15dec6)

Remove check for push (71b1270)
Manual deploy workflow (9b4ac33)
License headers, OWASP etc... (559b8d2)
Fixed unit tests pinned to a VERISON. (5d907d5)
Bump to version 0.0.2 (1050839)
Implemented writing SBOM to a file. (74f4153)
Updated badge in README to include Python 3.6+ support. (0a5903c)
Removed print() statement accidentally left in. (22965a7)
Merge pull request #1 from sonatype-nexus-community/features/initial-port-of-v1.1-generation-from-jake

Initial port of library code to new library (2f2634b)

Added license headers to all source files. Added classifiers for Python version to setup.py. (bb6bb24)
Renamed model file to not reference CycloneDX as the models are agnostic on purpose. (03d03ed)
Forgot to add updated poetry.lock file relfecting Python 3.6+ support (5d3d491)
Updated project to state support from Python v3.6+ (619ee1d)
Adding Python 3.6 support for test & CI. (daa12ba)
Fixing CircleCI config. (a446f4c)
Fixes to GitHub actions. (d2aa277)
Disabled Py3.6 checks and added flake8. (8c01da3)
Attempt to fix CI's for multiple Python environments. (affb6b2)
Added support for Python versions 3.7+ (ae24ba9)
Added missing ENV var for GH actions. (c750ec6)
Missed wrapping a coverage command with poetry. (3c74c82)
Added poetry virtualenv caching + wrapped tox and coverage with poetry to ensure they run in the poetry venv. (780e3df)
Fixed typo in Github action. (3953675)
Correction: Supported Python version in setup.py (2f4917b)
Updated poetry dependencies and configuration. (75041e5)
Initial draft GitHub actions being added. (e2403e8)
Added Poetry supprot. (e9a67f8)
Addressing issues reported by flake8. (3ad394c)
Refactored output classes to use multiple inheritance allowing a single place to define which schema version support various attributes and elements. (95c5b38)
Updated README to reflect support for author. (bff5954)
Skeleton support for 'author' + v1.1 and v1.0 for JSON added (along with tests). (e987f35)
Corrected typo in README (0d2c355)
Updated README to include a summary of the support this library provides across the different schema versions. (34f421f)
Initial support for V1.0 and V1.1 in XML output format. (37f6b00)
Added 'serialNumber' to SBOMs (JSON and XML). (50e3c75)
Added a bunch more content to the README to explain how the library can be used. (bb41dc6)
Added metadata initial support to JSON output format. (8c5590f)
Addition of simple 'metadata' element for XML SBOM's. (f9e9773)
Added initial JSON outputter and associated tests. (3e1f5ec)
Fix to generate HTML coverage reports and stash in CircleCI builds. (dd88603)
Added HTML coverage report. (ce700e5)
Missed coverage as a dependency for testing. (01643d6)
Added coverage reporting for tests (c34b1a6)
Added first tests for XML SBOM generation (v1.3 and v1.2). (cb4337a)
WIP: Starting to generate XML output for BOMs (35bdfca)
Updated CircleCI config to run tox. Fixed fomratting in tests. (9a56230)
Rebasing from main. (822ab8b)
Initial skeleton tests for output genereation. (a614f3e)
pretty badge (60e975c)
initial CI for discussion (7e88cd5)
Added a little more information to the README. (460c624)
Fixed issue reported by Flake8. Ensuring tests run on PY 3.9. (cce130f)
Basic structure without any output generation available (very basic Component definition). (6ac5dc2)
Added tox config with flake8 and py3.9 support. (1def201)
Initially added skeleton packaging structure and official CycloneDX schemas. (ac519c9)
Added inital blank README prior to branching for initial work. (b175f6a)
Added inital blank README prior to branching for initial work. (e8b5d48)
Initial commit (62353b0)

Files

CHANGELOG.md

Latest commit

History

CHANGELOG.md

File metadata and controls

CHANGELOG

v8.4.0 (2024-10-29)

Feature

Fix

Unknown

v8.3.0 (2024-10-26)

Documentation

Feature

v8.2.1 (2024-10-24)

Fix

v8.2.0 (2024-10-22)

Feature

v8.1.0 (2024-10-21)

Documentation

Feature

v8.0.0 (2024-10-14)

Breaking

BREAKING Changes

Changes

Fixes

Added

Dependencies

Documentation

v7.6.2 (2024-10-07)

Documentation

Fix

v7.6.1 (2024-09-18)

Fix

v7.6.0 (2024-08-14)

Feature

v7.5.1 (2024-07-08)

Fix

v7.5.0 (2024-07-04)

Feature

v7.4.1 (2024-06-12)

Documentation

Fix

v7.4.0 (2024-05-23)

Documentation

Feature

v7.3.4 (2024-05-06)

Fix

v7.3.3 (2024-05-06)

Fix

v7.3.2 (2024-04-26)

Fix

v7.3.1 (2024-04-22)

Fix

v7.3.0 (2024-04-19)

Feature

v7.2.0 (2024-04-19)

Feature

Unknown

v7.1.0 (2024-04-10)

Documentation

Feature

v7.0.0 (2024-04-09)

Breaking

v6.4.4 (2024-03-18)

Fix

v6.4.3 (2024-03-04)

Fix

v6.4.2 (2024-03-01)

Build

Documentation

Unknown

v6.4.1 (2024-01-30)

Documentation

Fix

v6.4.0 (2024-01-22)

Documentation

Feature

v6.3.0 (2024-01-06)

Documentation