Releases: CycloneDX/cyclonedx-python-lib
v6.1.0
v6.1.0 (2023-12-22)
Chore
- chore: update maintainers
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (87c72d7
)
- chore(deps): bump python-semantic-release/python-semantic-release (#515)
Bumps python-semantic-release/python-semantic-release from 8.5.0 to 8.5.1.
updated-dependencies:
- dependency-name: python-semantic-release/python-semantic-release
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (0f56ec4
)
- chore(deps-dev): update coverage requirement from 7.3.2 to 7.3.3 (#517)
Updates the requirements on coverage to permit the latest version.
updated-dependencies:
- dependency-name: coverage
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (a57e2f6
)
- chore(deps-dev): update isort requirement from 5.13.0 to 5.13.2 (#516)
Updates the requirements on isort to permit the latest version.
updated-dependencies:
- dependency-name: isort
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (84874a3
)
Feature
- feat: add function to map python
hashlib
algorithms to CycloneDX (#519)
new API: model.HashType.from_hashlib_alg()
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (81f8cf5
)
What's Changed
- chore(deps-dev): update isort requirement from 5.13.0 to 5.13.2 by @dependabot in #516
- chore(deps-dev): update coverage requirement from 7.3.2 to 7.3.3 by @dependabot in #517
- chore(deps): bump python-semantic-release/python-semantic-release from 8.5.0 to 8.5.1 by @dependabot in #515
- feat: add function to map python
hashlib
algorithms to CycloneDX by @jkowalleck in #519
Full Changelog: v6.0.0...v6.1.0
v6.0.0
v6.0.0 (2023-12-10)
Breaking
- feat!: v6.0.0 (#492)
Breaking Changes
- Removed symbols that were already marked as deprecated (via #493)
- Removed symbols in
parser.*
(#489 via #495) - Removed
output.LATEST_SUPPORTED_SCHEMA_VERSION
(#491 via #494) - Serialization of unsupported enum values might downgrade/migrate/omit them (#490 via #496)
Handling might raise warnings if a data loss occurred due to omitting.
The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered. - Serialization of any
model.component.Component
with unsupportedtype
raisesexception.serialization.SerializationOfUnsupportedComponentTypeException
(#490 via #496) - Object
model.bom_ref.BomRef
's propertyvalue
defaults toNull
, was arbitraryUUID
(#504 via #505)
This change does not affect serialization. Allbom-ref
s are guaranteed to have unique values on rendering. - Removed helpers from public API (#503 via #506)
Added
Tests
- Created (regression/unit/integration/functional) tests for CycloneDX 1.5 (#404 via #488)
- Created (regression/functional) tests for Enums' handling and completeness (#490 via #496)
Misc
- Bumped dependency
py-serializable@^0.16
, was@^0.15
(via #496)
API Changes — the details for migration
- Added new sub-package
exception.serialization
(via #496) - Removed class
models.ComparableTuple
(#503 via #506) - Enum
model.ExternalReferenceType
got new cases, to reflect features for CycloneDX 1.5 (#404 via #488) - Removed function
models.get_now_utc
(#503 via #506) - Removed function
models.sha1sum
(#503 via #506) - Enum
model.component.ComponentType
got new cases, to reflect features for CycloneDX 1.5 (#404 via #488) - Removed
model.component.Component.__init__()
's deprecated optional kwargnamespace
(via #493)
Use kwarggroup
instead. - Removed
model.component.Component.__init__()
's deprecated optional kwarglicense_str
(via #493)
Use kwarglicenses
instead. - Removed deprecated method
model.component.Component.get_namespace()
(via #493) - Removed class
models.dependency.DependencyDependencies
(#503 via #506) - Removed
model.vulnerability.Vulnerability.__init__()
's deprecated optional kwargsource_name
(via #493)
Use kwargsource
instead. - Removed
model.vulnerability.Vulnerability.__init__()
's deprecated optional kwargsource_url
(via #493)
Use kwargsource
instead. - Removed
model.vulnerability.Vulnerability.__init__()
's deprecated optional kwargrecommendations
(via #493)
Use kwargrecommendation
instead. - Removed
model.vulnerability.VulnerabilityRating.__init__()
's deprecated optional kwargscore_base
(via #493)
Use kwargscore
instead. - Enum
model.vulnerability.VulnerabilityScoreSource
got new cases, to reflect features for CycloneDX 1.5 (#404 via #488) - Removed
output.LATEST_SUPPORTED_SCHEMA_VERSION
(#491 via #494) - Removed deprecated function
output.get_instance()
(via #493)
Use functionoutput.make_outputter()
instead. - Added new class
output.json.JsonV1Dot5
, to reflect CycloneDX 1.5 (#404 via #488) - Added new item to dict
output.json.BY_SCHEMA_VERSION
, to reflect CycloneDX 1.5 (#404 via #488) - Added new class
output.xml.XmlV1Dot5
, to reflect CycloneDX 1.5 (#404 via #488) - Added new item to dict
output.xml.BY_SCHEMA_VERSION
, to reflect CycloneDX 1.5 (#404 via #488) - Removed class
parser.ParserWarning
(#489 via #495) - Removed class
parser.BaseParser
(#489 via #495) - Enum
schema.SchemaVersion
got new caseV1_5
, to reflect CycloneDX 1.5 (#404 via #488)
Signed-off-by: Johannes Feichtner <johannes@web-wack.at>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: semantic-release <semantic-release>
Co-authored-by: Johannes Feichtner <343448+Churro@users.noreply.github.com>
Co-authored-by: semantic-release <semantic-release> (74865f8
)
Chore
- chore(deps): bump python-semantic-release/python-semantic-release (#509)
Bumps python-semantic-release/python-semantic-release from 8.0.8 to 8.5.0.
updated-dependencies:
- dependency-name: python-semantic-release/python-semantic-release
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (9ed9ab1
)
- chore(deps-dev): update isort requirement from 5.12.0 to 5.13.0 (#512)
Updates the requirements on isort to permit the latest version.
updated-dependencies:
- dependency-name: isort
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (0eba631
)
- chore(deps-dev): update bandit requirement from 1.7.5 to 1.7.6 (#510)
Updates the requirements on bandit to permit the latest version.
updated-dependencies:
- dependency-name: bandit
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (153b07a
)
- chore(deps): bump actions/setup-python from 4 to 5 (#508)
Bumps actions/setup-python from 4 to 5.
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (4e3e0e0
)
- chore(deps): update sphinx-rtd-theme requirement (#499)
Updates the requirements on sphinx-rtd-theme to permit the latest version.
updated-dependencies:
- dependency-name: sphinx-rtd-theme
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (5d6dd41
)
- chore(deps-dev): update flake8-bugbear requirement (#500)
Updates the requirements on flake8-bugbear to permit the latest version.
updated-dependencies:
- dependency-name: flake8-bugbear
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by:...
v6.0.0-rc.3
What's Changed since v6.0.0-rc.2
Build process was modernized
see the details here: #492
v6.0.0-rc.3 Changelog: v6.0.0-rc.2...v6.0.0-rc.3
Full change list
see #492
Full Changelog: v5.2.0...v6.0.0-rc.3
v6.0.0-rc.2
What's Changed since v6.0.0-rc.1
Breaking Changes
- Object
model.bom_ref.BomRef
's propertyvalue
defaults toNull
, was arbitraryUUID
(#504 via #505)
This change does not affect serialization. Allbom-ref
s are guaranteed to have unique values on rendering. - Removed helpers from public API (#503 via #506)
see the details here: #492
v6.0.0-rc.2 Changelog: v6.0.0-rc.1...v6.0.0-rc.2
Full change list
see #492
Full Changelog: v5.2.0...v6.0.0-rc.2
v5.2.0
v5.2.0 (2023-12-02)
Chore
- chore(deps-dev): update mypy requirement from 1.7.0 to 1.7.1 (#487)
Updates the requirements on mypy to permit the latest version.
updated-dependencies:
- dependency-name: mypy
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (78957e6
)
- chore(deps-dev): update mypy requirement from 1.6.1 to 1.7.0 (#484)
Updates the requirements on mypy to permit the latest version.
updated-dependencies:
- dependency-name: mypy
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (c716ba3
)
- chore(deps-dev): update ddt requirement from 1.6.0 to 1.7.0 (#483)
Updates the requirements on ddt to permit the latest version.
updated-dependencies:
- dependency-name: ddt
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (8a1f7b9
)
- chore: mograte dev-dependencies to new poetry layout (#482)
see https://python-poetry.org/docs/managing-dependencies/#dependency-groups
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (a85585c
)
- chore(deps-dev): update flake8-isort requirement from 6.1.0 to 6.1.1 (#481)
Updates the requirements on flake8-isort to permit the latest version.
updated-dependencies:
- dependency-name: flake8-isort
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (fc74ddd
)
Documentation
- docs: keywaords & funding (#486)
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (3189e59
)
Feature
- feat:
model.XsUri
migrate control characters according to spec (#498)
fixes #497
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (e490429
)
v6.0.0-rc.1
Breaking Changes
- Removed symbols that were already marked as deprecated (via #493)
- Removed symbols in
parser.*
(#489 via #495) - Removed
output.LATEST_SUPPORTED_SCHEMA_VERSION
(#491 via #494) - Serialization of unsupported enum values might downgrade/migrate/omit them (#490 via #496)
Handling might raise warnings if a data loss occurred due to omitting.
The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered. - Serialization of any
model.component.Component
with unsupportedtype
raisesexception.serialization.SerializationOfUnsupportedComponentTypeException
(#490 via #496)
Added
Tests
- Created (regression/unit/integration/functional) tests for CycloneDX 1.5 (#404 via #488)
- Created (regression/functional) tests for Enums' handling and completeness (#490 via #496)
Misc
- Bumped dependency
py-serializable@^0.16
, was@^0.15
(via #496)
API Changes — the details for migration
- Added new sub-package
exception.serialization
(via #496) - Enum
model.ExternalReferenceType
got new cases, to reflect features for CycloneDX 1.5 (#404 via #488) - Enum
model.component.ComponentType
got new cases, to reflect features for CycloneDX 1.5 (#404 via #488) - Removed
model.component.Component.__init__()
's optional kwargnamespace
(via #493)
Use kwarggroup
instead. - Removed
model.component.Component.__init__()
's optional kwarglicense_str
(via #493)
Use kwarglicenses
instead. - Removed method
model.component.Component.get_namespace()
(via #493) - Removed
model.vulnerability.Vulnerability.__init__()
's optional kwargsource_name
(via #493)
Use kwargsource
instead. - Removed
model.vulnerability.Vulnerability.__init__()
's optional kwargsource_url
(via #493)
Use kwargsource
instead. - Removed
model.vulnerability.Vulnerability.__init__()
's optional kwargrecommendations
(via #493)
Use kwargrecommendation
instead. - Removed
model.vulnerability.VulnerabilityRating.__init__()
's optional kwargscore_base
(via #493)
Use kwargscore
instead. - Enum
model.vulnerability.VulnerabilityScoreSource
got new cases, to reflect features for CycloneDX 1.5 (#404 via #488) - Removed
output.LATEST_SUPPORTED_SCHEMA_VERSION
(#491 via #494) - Removed deprecated function
output.get_instance()
(via #493)
Use functionoutput.make_outputter()
instead. - Added new class
output.json.JsonV1Dot5
, to reflect CycloneDX 1.5 (#404 via #488) - Added new item to dict
output.json.BY_SCHEMA_VERSION
, to reflect CycloneDX 1.5 (#404 via #488) - Added new class
output.xml.XmlV1Dot5
, to reflect CycloneDX 1.5 (#404 via #488) - Added new item to dict
output.xml.BY_SCHEMA_VERSION
, to reflect CycloneDX 1.5 (#404 via #488) - Removed class
parser.ParserWarning
(#489 via #495) - Removed class
parser.BaseParser
(#489 via #495) - Enum
schema.SchemaVersion
got new caseV1_5
, to reflect CycloneDX 1.5 (#404 via #488)
What's Changed
- chore(deps-dev): update flake8-isort requirement from 6.1.0 to 6.1.1 by @dependabot in #481
- chore: mograte dev-dependencies to new poetry layout by @jkowalleck in #482
- chore(deps-dev): update ddt requirement from 1.6.0 to 1.7.0 by @dependabot in #483
- chore(deps-dev): update mypy requirement from 1.6.1 to 1.7.0 by @dependabot in #484
- docs: keywords & funding by @jkowalleck in #486
- chore(deps-dev): update mypy requirement from 1.7.0 to 1.7.1 by @dependabot in #487
- feat: add basic support for CDX 1.5 by @Churro and @jkowalleck in #488
- Remove deprecated 6.0.0 by @jkowalleck in #493
- bc: remove const
output.LATEST_SUPPORTED_SCHEMA_VERSION
by @jkowalleck in #494 - bc: remove parser API by @jkowalleck in #495
- Feat: prevent unknwon enums from rendering by @jkowalleck in #496
Full Changelog: v5.1.1...v6.0.0-rc.1
v5.1.1
v5.1.1 (2023-11-02)
Fix
- fix: update own
externalReferences
(#480)
What's Changed
- fix: update own
externalReferences
by @jkowalleck in #480
Full Changelog: v5.1.0...v5.1.1
v5.1.0
Documentation
- docs: advance license docs (
f61a730
)
Feature
- feat: guarantee unique
BomRef
s in serialization result (#479) (a648775
)
Incorporateoutput.BomRefDiscriminator
on serialization
What's Changed
- feat: guarantee unique
BomRef
s in serialization result by @jkowalleck in #479
Full Changelog: v5.0.1...v5.1.0
v5.0.1
Chore
- chore(deps): bump python-semantic-release/python-semantic-release (#474)
Bumps python-semantic-release/python-semantic-release from 8.0.8 to 8.3.0.
updated-dependencies:
- dependency-name: python-semantic-release/python-semantic-release
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (9c3ffac
)
- chore: make
pyproject
parsable by dependabot (#477)
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c4eaaa5
)
Documentation
- docs: revisit project meta (#475)
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (c3254d0
)
- docs: fix RTFD build (#476)
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (b9fcfb4
)
Unknown
- "chore(deps): revert bump python-semantic-release/python-semantic-release (#474)"
This reverts commit 9c3ffac.
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> (aae7304
)
What's Changed
- docs: fix RTFD build by @jkowalleck in #476
- docs: revisit project meta by @jkowalleck in #475
- chore: make
pyproject
parsable by dependabot by @jkowalleck in #477 - chore(deps): bump python-semantic-release/python-semantic-release from 8.0.8 to 8.3.0 by @dependabot in #474
Full Changelog: v5.0.0...v5.0.1
v5.0.0
BREAKING CHANGES
- Dropped support for python<3.8 (#436 via #441; enable #433)
- Reworked license related models, collections, and factories (#365 via #466)
- Behavior
- API
- Enum
schema.SchemaVersion
is no longer string-like (#442 via #447) - Enum
schema.OutputVersion
is no longer string-like (#442 via #447) - Abstract class
output.BaseOutput
requires implementation of new methodoutput_format
(#446 via #447) - Abstract method
output.BaseOutput.output_as_string()
got new optional parameterindent
(#437 via #458) - Abstract method
output.BaseOutput.output_as_string()
accepts arbitrary kwargs (via #458, #462) - Removed class
factory.license.LicenseChoiceFactory
(via #466)
The old functionality was integrated intofactory.license.LicenseFactory
. - Method
factory.license.LicenseFactory.make_from_string()
's parametername_or_spdx
was renamed tovalue
(via #466) - Method
factory.license.LicenseFactory.make_from_string()
's return value can also be aLicenseExpression
(#365 via #466)
The behavior imitates the oldfactory.license.LicenseChoiceFactory.make_from_string()
- Renamed class
module.License
tomodule.license.DisjunctliveLicense
(#365 via #466) - Removed class
module.LicenseChoice
(#365 via #466)
Use dedicated classesmodule.license.DisjunctliveLicense
andmodule.license.LicenseExpression
instead - All occurrences of
models.LicenseChoice
were replaced bymodels.licenses.License
(#365 via #466) - All occurrences of
SortedSet[LicenseChoice]
were specialized tomodels.license.LicenseRepository
(#365 via #466)
- Enum
Fixed
- Serialization of multy-licenses (#365 via #466)
- Detect unused "dependent" components in
model.bom.validate()
(via #464)
Changed
- Updated latest supported list of supported SPDX license identifiers (via #433)
- Shipped schema files are moved to a protected space (via #433)
These files were never intended for public use. - XML output uses a default namespace, which makes results smaller. (#438 via #458)
Added
- Support for Python 3.12 (via #460)
- JSON- & XML-Validators (#432, #446 via #433, #448)
The functionality might require additional dependencies, that can be installed with the extra "validation".
See the docs in section "Installation" for details. - JSON & XML can be generated in a more human-friendly form (#437, #438 via #458)
- Type hints, typings & overloads for better integration downstream (via #463)
- API
- New function
output.make_outputter()
(via #469)
This replaces the deprecated functionoutput.get_instance()
. - New sub-package
validation
(#432, #446 via #433, #448, #469, #468, #469) - New class
exception.MissingOptionalDependencyException
(#432 via #433) - New class
exception.LicenseExpressionAlongWithOthersException
(#453 via #452) - New dictionaries
output.{json,xml}.BY_SCHEMA_VERSION
(#446 via #447) - Existing implementations of class
output.BaseOutput
now have a new methodoutput_format
(#446 via #447) - Existing implementations of method
output.BaseOutput.output_as_string()
got new optional parameterindent
(#437 via #458) - Existing implementations of method
output.BaseOutput.output_to_file()
got new optional parameterindent
(#437 via #458) - New method
factory.license.LicenseFactory.make_with_expression()
(via #466) - New class
model.license.DisjunctiveLicense
(#365 via #466) - New class
model.license.LicenseExpression
(#365 via #466) - New class
model.license.LicenseRepository
(#365 via #466) - New class
serialization.LicenseRepositoryHelper
(#365 via #466)
- New function
Deprecated
- Function
output.get_instance()
might be removed, useoutput.make_outputter()
instead (via #469)
Tests
- Added validation tests with official CycloneDX schema test data (#432 via #433)
- Use proper snapshots, instead of pseudo comparison (#437 via #464)
- Added regression test for bug #365 (via #466, #467)
Misc
- Dependencies: bumped
py-serializable@^0.15.0
, was@^0.11.1
(via #458, #463, #464, #466) - Style: streamlined quotes and strings (via #472)
- Chore: bumped internal dev- and QA-tools (#436 via #441, #472)
- Chore: added more QA tools to prevent common security issues (via #473)
What's Changed
- feat!: v5.0.0 by @jkowalleck in #440
Full Changelog: v4.2.3...v5.0.0