Skip to content

Releases: CycloneDX/cyclonedx-python-lib

v6.1.0

22 Dec 01:47
@github-actions github-actions
v6.1.0
c361dae
Compare
Choose a tag to compare
v6.1.0

v6.1.0 (2023-12-22)

Chore

  • chore: update maintainers

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (87c72d7)

  • chore(deps): bump python-semantic-release/python-semantic-release (#515)

Bumps python-semantic-release/python-semantic-release from 8.5.0 to 8.5.1.

updated-dependencies:

  • dependency-name: python-semantic-release/python-semantic-release
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (0f56ec4)

  • chore(deps-dev): update coverage requirement from 7.3.2 to 7.3.3 (#517)

Updates the requirements on coverage to permit the latest version.

updated-dependencies:

  • dependency-name: coverage
    dependency-type: direct:development
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (a57e2f6)

  • chore(deps-dev): update isort requirement from 5.13.0 to 5.13.2 (#516)

Updates the requirements on isort to permit the latest version.

updated-dependencies:

  • dependency-name: isort
    dependency-type: direct:development
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (84874a3)

Feature

  • feat: add function to map python hashlib algorithms to CycloneDX (#519)

new API: model.HashType.from_hashlib_alg()

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (81f8cf5)

What's Changed

  • chore(deps-dev): update isort requirement from 5.13.0 to 5.13.2 by @dependabot in #516
  • chore(deps-dev): update coverage requirement from 7.3.2 to 7.3.3 by @dependabot in #517
  • chore(deps): bump python-semantic-release/python-semantic-release from 8.5.0 to 8.5.1 by @dependabot in #515
  • feat: add function to map python hashlib algorithms to CycloneDX by @jkowalleck in #519

Full Changelog: v6.0.0...v6.1.0

Contributors

jkowalleck and dependabot
Assets 4
Loading

v6.0.0

10 Dec 19:04
@github-actions github-actions
v6.0.0
8800b68
Compare
Choose a tag to compare
v6.0.0

v6.0.0 (2023-12-10)

Breaking

  • feat!: v6.0.0 (#492)

Breaking Changes

  • Removed symbols that were already marked as deprecated (via #493)
  • Removed symbols in parser.* (#489 via #495)
  • Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
  • Serialization of unsupported enum values might downgrade/migrate/omit them (#490 via #496)
    Handling might raise warnings if a data loss occurred due to omitting.
    The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered.
  • Serialization of any model.component.Component with unsupported type raises exception.serialization.SerializationOfUnsupportedComponentTypeException (#490 via #496)
  • Object model.bom_ref.BomRef's property value defaults to Null, was arbitrary UUID (#504 via #505)
    This change does not affect serialization. All bom-refs are guaranteed to have unique values on rendering.
  • Removed helpers from public API (#503 via #506)

Added

  • Basic support for CycloneDX 1.5 (#404 via #488) -- Thanks to @Churro
    • No data models were enhanced nor added, yet.
      Pull requests to add functionality are welcome.
    • Existing enumerable got new cases, to reflect features of CycloneDX 1.5 (#404 via #488)
    • Outputters were enabled to render CycloneDX 1.5 (#404 via #488)

Tests

  • Created (regression/unit/integration/functional) tests for CycloneDX 1.5 (#404 via #488)
  • Created (regression/functional) tests for Enums' handling and completeness (#490 via #496)

Misc

  • Bumped dependency py-serializable@^0.16, was @^0.15 (via #496)

API Changes — the details for migration

  • Added new sub-package exception.serialization (via #496)
  • Removed class models.ComparableTuple (#503 via #506)
  • Enum model.ExternalReferenceType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed function models.get_now_utc (#503 via #506)
  • Removed function models.sha1sum (#503 via #506)
  • Enum model.component.ComponentType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed model.component.Component.__init__()'s deprecated optional kwarg namespace (via #493)
    Use kwarg group instead.
  • Removed model.component.Component.__init__()'s deprecated optional kwarg license_str (via #493)
    Use kwarg licenses instead.
  • Removed deprecated method model.component.Component.get_namespace() (via #493)
  • Removed class models.dependency.DependencyDependencies (#503 via #506)
  • Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg source_name (via #493)
    Use kwarg source instead.
  • Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg source_url (via #493)
    Use kwarg source instead.
  • Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg recommendations (via #493)
    Use kwarg recommendation instead.
  • Removed model.vulnerability.VulnerabilityRating.__init__()'s deprecated optional kwarg score_base (via #493)
    Use kwarg score instead.
  • Enum model.vulnerability.VulnerabilityScoreSource got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
  • Removed deprecated function output.get_instance() (via #493)
    Use function output.make_outputter() instead.
  • Added new class output.json.JsonV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
  • Added new item to dict output.json.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
  • Added new class output.xml.XmlV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
  • Added new item to dict output.xml.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
  • Removed class parser.ParserWarning (#489 via #495)
  • Removed class parser.BaseParser (#489 via #495)
  • Enum schema.SchemaVersion got new case V1_5, to reflect CycloneDX 1.5 (#404 via #488)

Signed-off-by: Johannes Feichtner <johannes@web-wack.at>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: semantic-release <semantic-release>
Co-authored-by: Johannes Feichtner <343448+Churro@users.noreply.github.com>
Co-authored-by: semantic-release <semantic-release> (74865f8)

Chore

  • chore(deps): bump python-semantic-release/python-semantic-release (#509)

Bumps python-semantic-release/python-semantic-release from 8.0.8 to 8.5.0.

updated-dependencies:

  • dependency-name: python-semantic-release/python-semantic-release
    dependency-type: direct:production
    update-type: version-update:semver-minor
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (9ed9ab1)

  • chore(deps-dev): update isort requirement from 5.12.0 to 5.13.0 (#512)

Updates the requirements on isort to permit the latest version.

updated-dependencies:

  • dependency-name: isort
    dependency-type: direct:development
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (0eba631)

  • chore(deps-dev): update bandit requirement from 1.7.5 to 1.7.6 (#510)

Updates the requirements on bandit to permit the latest version.

updated-dependencies:

  • dependency-name: bandit
    dependency-type: direct:development
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (153b07a)

  • chore(deps): bump actions/setup-python from 4 to 5 (#508)

Bumps actions/setup-python from 4 to 5.

updated-dependencies:

  • dependency-name: actions/setup-python
    dependency-type: direct:production
    update-type: version-update:semver-major
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (4e3e0e0)

  • chore(deps): update sphinx-rtd-theme requirement (#499)

Updates the requirements on sphinx-rtd-theme to permit the latest version.

updated-dependencies:

  • dependency-name: sphinx-rtd-theme
    dependency-type: direct:production
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (5d6dd41)

  • chore(deps-dev): update flake8-bugbear requirement (#500)

Updates the requirements on flake8-bugbear to permit the latest version.

updated-dependencies:

  • dependency-name: flake8-bugbear
    dependency-type: direct:development
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by:...

Read more

Contributors

Churro, jkowalleck, and dependabot
Assets 4
Loading

v6.0.0-rc.3

10 Dec 15:36
@github-actions github-actions
v6.0.0-rc.3
33cf0c5
Compare
Choose a tag to compare
v6.0.0-rc.3 Pre-release
Pre-release

What's Changed since v6.0.0-rc.2

Build process was modernized

see the details here: #492

v6.0.0-rc.3 Changelog: v6.0.0-rc.2...v6.0.0-rc.3

Full change list

see #492

Full Changelog: v5.2.0...v6.0.0-rc.3

Assets 4
Loading

v6.0.0-rc.2

05 Dec 11:08
@github-actions github-actions
v6.0.0-rc.2
0001429
Compare
Choose a tag to compare
v6.0.0-rc.2 Pre-release
Pre-release

What's Changed since v6.0.0-rc.1

Breaking Changes

  • Object model.bom_ref.BomRef's property value defaults to Null, was arbitrary UUID (#504 via #505)
    This change does not affect serialization. All bom-refs are guaranteed to have unique values on rendering.
  • Removed helpers from public API (#503 via #506)

see the details here: #492

v6.0.0-rc.2 Changelog: v6.0.0-rc.1...v6.0.0-rc.2

Full change list

see #492

Full Changelog: v5.2.0...v6.0.0-rc.2

Assets 4
Loading

v5.2.0

02 Dec 11:27
@github-actions github-actions
v5.2.0
4961d76
Compare
Choose a tag to compare
v5.2.0

v5.2.0 (2023-12-02)

Chore

  • chore(deps-dev): update mypy requirement from 1.7.0 to 1.7.1 (#487)

Updates the requirements on mypy to permit the latest version.

updated-dependencies:

  • dependency-name: mypy
    dependency-type: direct:development
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (78957e6)

  • chore(deps-dev): update mypy requirement from 1.6.1 to 1.7.0 (#484)

Updates the requirements on mypy to permit the latest version.

updated-dependencies:

  • dependency-name: mypy
    dependency-type: direct:development
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (c716ba3)

  • chore(deps-dev): update ddt requirement from 1.6.0 to 1.7.0 (#483)

Updates the requirements on ddt to permit the latest version.

updated-dependencies:

  • dependency-name: ddt
    dependency-type: direct:development
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (8a1f7b9)

  • chore: mograte dev-dependencies to new poetry layout (#482)

see https://python-poetry.org/docs/managing-dependencies/#dependency-groups

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a85585c)

  • chore(deps-dev): update flake8-isort requirement from 6.1.0 to 6.1.1 (#481)

Updates the requirements on flake8-isort to permit the latest version.

updated-dependencies:

  • dependency-name: flake8-isort
    dependency-type: direct:development
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (fc74ddd)

Documentation

  • docs: keywaords & funding (#486)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3189e59)

Feature

  • feat: model.XsUri migrate control characters according to spec (#498)

fixes #497

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e490429)

Assets 4
Loading

v6.0.0-rc.1

30 Nov 12:00
@github-actions github-actions
v6.0.0-rc.1
db54c95
Compare
Choose a tag to compare
v6.0.0-rc.1 Pre-release
Pre-release

Breaking Changes

  • Removed symbols that were already marked as deprecated (via #493)
  • Removed symbols in parser.* (#489 via #495)
  • Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
  • Serialization of unsupported enum values might downgrade/migrate/omit them (#490 via #496)
    Handling might raise warnings if a data loss occurred due to omitting.
    The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered.
  • Serialization of any model.component.Component with unsupported type raises exception.serialization.SerializationOfUnsupportedComponentTypeException (#490 via #496)

Added

  • Basic support for CycloneDX 1.5 (#404 via #488)
    • No data models were enhanced nor added, yet.
      Pull requests to add functionality are welcome.
    • Existing enumerable got new cases, to reflect features of CycloneDX 1.5 (#404 via #488)
    • Outputters were enabled to render CycloneDX 1.5 (#404 via #488)

Tests

  • Created (regression/unit/integration/functional) tests for CycloneDX 1.5 (#404 via #488)
  • Created (regression/functional) tests for Enums' handling and completeness (#490 via #496)

Misc

  • Bumped dependency py-serializable@^0.16, was @^0.15 (via #496)

API Changes — the details for migration

  • Added new sub-package exception.serialization (via #496)
  • Enum model.ExternalReferenceType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Enum model.component.ComponentType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed model.component.Component.__init__()'s optional kwarg namespace (via #493)
    Use kwarg group instead.
  • Removed model.component.Component.__init__()'s optional kwarg license_str (via #493)
    Use kwarg licenses instead.
  • Removed method model.component.Component.get_namespace() (via #493)
  • Removed model.vulnerability.Vulnerability.__init__()'s optional kwarg source_name (via #493)
    Use kwarg source instead.
  • Removed model.vulnerability.Vulnerability.__init__()'s optional kwarg source_url (via #493)
    Use kwarg source instead.
  • Removed model.vulnerability.Vulnerability.__init__()'s optional kwarg recommendations (via #493)
    Use kwarg recommendation instead.
  • Removed model.vulnerability.VulnerabilityRating.__init__()'s optional kwarg score_base (via #493)
    Use kwarg score instead.
  • Enum model.vulnerability.VulnerabilityScoreSource got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
  • Removed deprecated function output.get_instance() (via #493)
    Use function output.make_outputter() instead.
  • Added new class output.json.JsonV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
  • Added new item to dict output.json.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
  • Added new class output.xml.XmlV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
  • Added new item to dict output.xml.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
  • Removed class parser.ParserWarning (#489 via #495)
  • Removed class parser.BaseParser (#489 via #495)
  • Enum schema.SchemaVersion got new case V1_5, to reflect CycloneDX 1.5 (#404 via #488)

What's Changed

Full Changelog: v5.1.1...v6.0.0-rc.1

Contributors

Churro, jkowalleck, and dependabot
Assets 4
Loading

v5.1.1

02 Nov 11:56
@github-actions github-actions
v5.1.1
41c3e4b
Compare
Choose a tag to compare
v5.1.1

v5.1.1 (2023-11-02)

Fix

  • fix: update own externalReferences (#480)

What's Changed

Full Changelog: v5.1.0...v5.1.1

Contributors

jkowalleck
Assets 4
Loading

v5.1.0

31 Oct 21:05
@github-actions github-actions
v5.1.0
ac23ab1
Compare
Choose a tag to compare
v5.1.0

Documentation

  • docs: advance license docs (f61a730)

Feature

  • feat: guarantee unique BomRefs in serialization result (#479) (a648775)
    Incorporate output.BomRefDiscriminator on serialization

What's Changed

  • feat: guarantee unique BomRefs in serialization result by @jkowalleck in #479

Full Changelog: v5.0.1...v5.1.0

Contributors

jkowalleck
Assets 4
Loading

v5.0.1

24 Oct 14:16
@github-actions github-actions
v5.0.1
b777901
Compare
Choose a tag to compare
v5.0.1

Chore

  • chore(deps): bump python-semantic-release/python-semantic-release (#474)

Bumps python-semantic-release/python-semantic-release from 8.0.8 to 8.3.0.

updated-dependencies:

  • dependency-name: python-semantic-release/python-semantic-release
    dependency-type: direct:production
    update-type: version-update:semver-minor
    ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (9c3ffac)

  • chore: make pyproject parsable by dependabot (#477)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c4eaaa5)

Documentation

  • docs: revisit project meta (#475)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c3254d0)

  • docs: fix RTFD build (#476)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b9fcfb4)

Unknown

  • "chore(deps): revert bump python-semantic-release/python-semantic-release (#474)"

This reverts commit 9c3ffac.

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (aae7304)

What's Changed

Full Changelog: v5.0.0...v5.0.1

Contributors

jkowalleck and dependabot
Assets 4
Loading

v5.0.0

24 Oct 11:04
@github-actions github-actions
v5.0.0
4454d60
Compare
Choose a tag to compare
v5.0.0

BREAKING CHANGES

  • Dropped support for python<3.8 (#436 via #441; enable #433)
  • Reworked license related models, collections, and factories (#365 via #466)
  • Behavior
    • Method model.bom.Bom.validate() will throw exception.LicenseExpressionAlongWithOthersException, if detecting invalid license constellation (#453 via #452)
    • Fixed tuple comparison when unequal lengths (via #461)
  • API
    • Enum schema.SchemaVersion is no longer string-like (#442 via #447)
    • Enum schema.OutputVersion is no longer string-like (#442 via #447)
    • Abstract class output.BaseOutput requires implementation of new method output_format (#446 via #447)
    • Abstract method output.BaseOutput.output_as_string() got new optional parameter indent (#437 via #458)
    • Abstract method output.BaseOutput.output_as_string() accepts arbitrary kwargs (via #458, #462)
    • Removed class factory.license.LicenseChoiceFactory (via #466)
      The old functionality was integrated into factory.license.LicenseFactory.
    • Method factory.license.LicenseFactory.make_from_string()'s parameter name_or_spdx was renamed to value (via #466)
    • Method factory.license.LicenseFactory.make_from_string()'s return value can also be a LicenseExpression (#365 via #466)
      The behavior imitates the old factory.license.LicenseChoiceFactory.make_from_string()
    • Renamed class module.License to module.license.DisjunctliveLicense (#365 via #466)
    • Removed class module.LicenseChoice (#365 via #466)
      Use dedicated classes module.license.DisjunctliveLicense and module.license.LicenseExpression instead
    • All occurrences of models.LicenseChoice were replaced by models.licenses.License (#365 via #466)
    • All occurrences of SortedSet[LicenseChoice] were specialized to models.license.LicenseRepository (#365 via #466)

Fixed

  • Serialization of multy-licenses (#365 via #466)
  • Detect unused "dependent" components in model.bom.validate() (via #464)

Changed

  • Updated latest supported list of supported SPDX license identifiers (via #433)
  • Shipped schema files are moved to a protected space (via #433)
    These files were never intended for public use.
  • XML output uses a default namespace, which makes results smaller. (#438 via #458)

Added

  • Support for Python 3.12 (via #460)
  • JSON- & XML-Validators (#432, #446 via #433, #448)
    The functionality might require additional dependencies, that can be installed with the extra "validation".
    See the docs in section "Installation" for details.
  • JSON & XML can be generated in a more human-friendly form (#437, #438 via #458)
  • Type hints, typings & overloads for better integration downstream (via #463)
  • API
    • New function output.make_outputter() (via #469)
      This replaces the deprecated function output.get_instance().
    • New sub-package validation (#432, #446 via #433, #448, #469, #468, #469)
    • New class exception.MissingOptionalDependencyException (#432 via #433)
    • New class exception.LicenseExpressionAlongWithOthersException (#453 via #452)
    • New dictionaries output.{json,xml}.BY_SCHEMA_VERSION (#446 via #447)
    • Existing implementations of class output.BaseOutput now have a new method output_format (#446 via #447)
    • Existing implementations of method output.BaseOutput.output_as_string() got new optional parameter indent (#437 via #458)
    • Existing implementations of method output.BaseOutput.output_to_file() got new optional parameter indent (#437 via #458)
    • New method factory.license.LicenseFactory.make_with_expression() (via #466)
    • New class model.license.DisjunctiveLicense (#365 via #466)
    • New class model.license.LicenseExpression (#365 via #466)
    • New class model.license.LicenseRepository (#365 via #466)
    • New class serialization.LicenseRepositoryHelper (#365 via #466)

Deprecated

  • Function output.get_instance() might be removed, use output.make_outputter() instead (via #469)

Tests

  • Added validation tests with official CycloneDX schema test data (#432 via #433)
  • Use proper snapshots, instead of pseudo comparison (#437 via #464)
  • Added regression test for bug #365 (via #466, #467)

Misc

  • Dependencies: bumped py-serializable@^0.15.0, was @^0.11.1 (via #458, #463, #464, #466)
  • Style: streamlined quotes and strings (via #472)
  • Chore: bumped internal dev- and QA-tools (#436 via #441, #472)
  • Chore: added more QA tools to prevent common security issues (via #473)

What's Changed

Full Changelog: v4.2.3...v5.0.0

Contributors

jkowalleck
Assets 4
Loading