v6.0.0

v6.0.0 (2023-12-10)

Breaking

• feat!: v6.0.0 (#492)

Breaking Changes

• Removed symbols that were already marked as deprecated (via #493)
• Removed symbols in parser.* (#489 via #495)
• Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
• Serialization of unsupported enum values might downgrade/migrate/omit them (#490 via #496)
  Handling might raise warnings if a data loss occurred due to omitting.
  The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered.
• Serialization of any model.component.Component with unsupported type raises exception.serialization.SerializationOfUnsupportedComponentTypeException (#490 via #496)
• Object model.bom_ref.BomRef's property value defaults to Null, was arbitrary UUID (#504 via #505)
  This change does not affect serialization. All bom-refs are guaranteed to have unique values on rendering.
• Removed helpers from public API (#503 via #506)

Added

• Basic support for CycloneDX 1.5 (#404 via #488) -- Thanks to @Churro
  • No data models were enhanced nor added, yet.
    Pull requests to add functionality are welcome.
  • Existing enumerable got new cases, to reflect features of CycloneDX 1.5 (#404 via #488)
  • Outputters were enabled to render CycloneDX 1.5 (#404 via #488)

Tests

• Created (regression/unit/integration/functional) tests for CycloneDX 1.5 (#404 via #488)
• Created (regression/functional) tests for Enums' handling and completeness (#490 via #496)

Misc

• Bumped dependency py-serializable@^0.16, was @^0.15 (via #496)

---

API Changes — the details for migration

• Added new sub-package exception.serialization (via #496)
• Removed class models.ComparableTuple (#503 via #506)
• Enum model.ExternalReferenceType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
• Removed function models.get_now_utc (#503 via #506)
• Removed function models.sha1sum (#503 via #506)
• Enum model.component.ComponentType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
• Removed model.component.Component.__init__()'s deprecated optional kwarg namespace (via #493)
  Use kwarg group instead.
• Removed model.component.Component.__init__()'s deprecated optional kwarg license_str (via #493)
  Use kwarg licenses instead.
• Removed deprecated method model.component.Component.get_namespace() (via #493)
• Removed class models.dependency.DependencyDependencies (#503 via #506)
• Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg source_name (via #493)
  Use kwarg source instead.
• Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg source_url (via #493)
  Use kwarg source instead.
• Removed model.vulnerability.Vulnerability.__init__()'s deprecated optional kwarg recommendations (via #493)
  Use kwarg recommendation instead.
• Removed model.vulnerability.VulnerabilityRating.__init__()'s deprecated optional kwarg score_base (via #493)
  Use kwarg score instead.
• Enum model.vulnerability.VulnerabilityScoreSource got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
• Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
• Removed deprecated function output.get_instance() (via #493)
  Use function output.make_outputter() instead.
• Added new class output.json.JsonV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
• Added new item to dict output.json.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
• Added new class output.xml.XmlV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
• Added new item to dict output.xml.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
• Removed class parser.ParserWarning (#489 via #495)
• Removed class parser.BaseParser (#489 via #495)
• Enum schema.SchemaVersion got new case V1_5, to reflect CycloneDX 1.5 (#404 via #488)

---

Signed-off-by: Johannes Feichtner <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: semantic-release <semantic-release>
Co-authored-by: Johannes Feichtner <[email protected]>
Co-authored-by: semantic-release <semantic-release> (74865f8)

Chore

• chore(deps): bump python-semantic-release/python-semantic-release (#509)

Bumps python-semantic-release/python-semantic-release from 8.0.8 to 8.5.0.

• Release notes
• Changelog
• Commits

---

updated-dependencies:

• dependency-name: python-semantic-release/python-semantic-release
  dependency-type: direct:production
  update-type: version-update:semver-minor
  ...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (9ed9ab1)

• chore(deps-dev): update isort requirement from 5.12.0 to 5.13.0 (#512)

Updates the requirements on isort to permit the latest version.

• Release notes
• Changelog
• Commits

---

updated-dependencies:

• dependency-name: isort
  dependency-type: direct:development
  ...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (0eba631)

• chore(deps-dev): update bandit requirement from 1.7.5 to 1.7.6 (#510)

Updates the requirements on bandit to permit the latest version.

• Release notes
• Commits

---

updated-dependencies:

• dependency-name: bandit
  dependency-type: direct:development
  ...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (153b07a)

• chore(deps): bump actions/setup-python from 4 to 5 (#508)

Bumps actions/setup-python from 4 to 5.

• Release notes
• Commits

---

updated-dependencies:

• dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
  ...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (4e3e0e0)

• chore(deps): update sphinx-rtd-theme requirement (#499)

Updates the requirements on sphinx-rtd-theme to permit the latest version.

• Changelog
• Commits

---

updated-dependencies:

• dependency-name: sphinx-rtd-theme
  dependency-type: direct:production
  ...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (5d6dd41)

• chore(deps-dev): update flake8-bugbear requirement (#500)

Updates the requirements on flake8-bugbear to permit the latest version.

• Release notes
• Commits

---

updated-dependencies:

• dependency-name: flake8-bugbear
  dependency-type: direct:development
  ...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by:...

v6.0.0-rc.3

What's Changed since v6.0.0-rc.2

Build process was modernized

see the details here: #492

v6.0.0-rc.3 Changelog: v6.0.0-rc.2...v6.0.0-rc.3

---

Full change list

see #492

Full Changelog: v5.2.0...v6.0.0-rc.3

v6.0.0-rc.2

What's Changed since v6.0.0-rc.1

Breaking Changes

• Object model.bom_ref.BomRef's property value defaults to Null, was arbitrary UUID (#504 via #505)
  This change does not affect serialization. All bom-refs are guaranteed to have unique values on rendering.
• Removed helpers from public API (#503 via #506)

see the details here: #492

v6.0.0-rc.2 Changelog: v6.0.0-rc.1...v6.0.0-rc.2

---

Full change list

see #492

Full Changelog: v5.2.0...v6.0.0-rc.2

v5.2.0

v5.2.0 (2023-12-02)

Chore

• chore(deps-dev): update mypy requirement from 1.7.0 to 1.7.1 (#487)

Updates the requirements on mypy to permit the latest version.

• Changelog
• Commits

---

updated-dependencies:

• dependency-name: mypy
  dependency-type: direct:development
  ...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (78957e6)

• chore(deps-dev): update mypy requirement from 1.6.1 to 1.7.0 (#484)

Updates the requirements on mypy to permit the latest version.

• Changelog
• Commits

---

updated-dependencies:

• dependency-name: mypy
  dependency-type: direct:development
  ...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (c716ba3)

• chore(deps-dev): update ddt requirement from 1.6.0 to 1.7.0 (#483)

Updates the requirements on ddt to permit the latest version.

• Release notes
• Commits

---

updated-dependencies:

• dependency-name: ddt
  dependency-type: direct:development
  ...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (8a1f7b9)

• chore: mograte dev-dependencies to new poetry layout (#482)

see https://python-poetry.org/docs/managing-dependencies/#dependency-groups

Signed-off-by: Jan Kowalleck <[email protected]> (a85585c)

• chore(deps-dev): update flake8-isort requirement from 6.1.0 to 6.1.1 (#481)

Updates the requirements on flake8-isort to permit the latest version.

• Changelog
• Commits

---

updated-dependencies:

• dependency-name: flake8-isort
  dependency-type: direct:development
  ...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (fc74ddd)

Documentation

• docs: keywaords & funding (#486)

Signed-off-by: Jan Kowalleck <[email protected]> (3189e59)

Feature

• feat: model.XsUri migrate control characters according to spec (#498)

fixes #497

---

Signed-off-by: Jan Kowalleck <[email protected]> (e490429)

v6.0.0-rc.1

Breaking Changes

• Removed symbols that were already marked as deprecated (via #493)
• Removed symbols in parser.* (#489 via #495)
• Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
• Serialization of unsupported enum values might downgrade/migrate/omit them (#490 via #496)
  Handling might raise warnings if a data loss occurred due to omitting.
  The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered.
• Serialization of any model.component.Component with unsupported type raises exception.serialization.SerializationOfUnsupportedComponentTypeException (#490 via #496)

Added

• Basic support for CycloneDX 1.5 (#404 via #488)
  • No data models were enhanced nor added, yet.
    Pull requests to add functionality are welcome.
  • Existing enumerable got new cases, to reflect features of CycloneDX 1.5 (#404 via #488)
  • Outputters were enabled to render CycloneDX 1.5 (#404 via #488)

Tests

• Created (regression/unit/integration/functional) tests for CycloneDX 1.5 (#404 via #488)
• Created (regression/functional) tests for Enums' handling and completeness (#490 via #496)

Misc

• Bumped dependency py-serializable@^0.16, was @^0.15 (via #496)

---

API Changes — the details for migration

• Added new sub-package exception.serialization (via #496)
• Enum model.ExternalReferenceType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
• Enum model.component.ComponentType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
• Removed model.component.Component.__init__()'s optional kwarg namespace (via #493)
  Use kwarg group instead.
• Removed model.component.Component.__init__()'s optional kwarg license_str (via #493)
  Use kwarg licenses instead.
• Removed method model.component.Component.get_namespace() (via #493)
• Removed model.vulnerability.Vulnerability.__init__()'s optional kwarg source_name (via #493)
  Use kwarg source instead.
• Removed model.vulnerability.Vulnerability.__init__()'s optional kwarg source_url (via #493)
  Use kwarg source instead.
• Removed model.vulnerability.Vulnerability.__init__()'s optional kwarg recommendations (via #493)
  Use kwarg recommendation instead.
• Removed model.vulnerability.VulnerabilityRating.__init__()'s optional kwarg score_base (via #493)
  Use kwarg score instead.
• Enum model.vulnerability.VulnerabilityScoreSource got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
• Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
• Removed deprecated function output.get_instance() (via #493)
  Use function output.make_outputter() instead.
• Added new class output.json.JsonV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
• Added new item to dict output.json.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
• Added new class output.xml.XmlV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)
• Added new item to dict output.xml.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)
• Removed class parser.ParserWarning (#489 via #495)
• Removed class parser.BaseParser (#489 via #495)
• Enum schema.SchemaVersion got new case V1_5, to reflect CycloneDX 1.5 (#404 via #488)

---

What's Changed

• chore(deps-dev): update flake8-isort requirement from 6.1.0 to 6.1.1 by @dependabot in #481
• chore: mograte dev-dependencies to new poetry layout by @jkowalleck in #482
• chore(deps-dev): update ddt requirement from 1.6.0 to 1.7.0 by @dependabot in #483
• chore(deps-dev): update mypy requirement from 1.6.1 to 1.7.0 by @dependabot in #484
• docs: keywords & funding by @jkowalleck in #486
• chore(deps-dev): update mypy requirement from 1.7.0 to 1.7.1 by @dependabot in #487
• feat: add basic support for CDX 1.5 by @Churro and @jkowalleck in #488
• Remove deprecated 6.0.0 by @jkowalleck in #493
• bc: remove const output.LATEST_SUPPORTED_SCHEMA_VERSION by @jkowalleck in #494
• bc: remove parser API by @jkowalleck in #495
• Feat: prevent unknwon enums from rendering by @jkowalleck in #496

Full Changelog: v5.1.1...v6.0.0-rc.1

v5.1.1

v5.1.1 (2023-11-02)

Fix

• fix: update own externalReferences (#480)

---

What's Changed

• fix: update own externalReferences by @jkowalleck in #480

Full Changelog: v5.1.0...v5.1.1

v5.1.0

Documentation

• docs: advance license docs (f61a730)

Feature

• feat: guarantee unique BomRefs in serialization result (#479) (a648775)
  Incorporate output.BomRefDiscriminator on serialization

---

What's Changed

• feat: guarantee unique BomRefs in serialization result by @jkowalleck in #479

Full Changelog: v5.0.1...v5.1.0

v5.0.1

Chore

• chore(deps): bump python-semantic-release/python-semantic-release (#474)

Bumps python-semantic-release/python-semantic-release from 8.0.8 to 8.3.0.

• Release notes
• Changelog
• Commits

---

updated-dependencies:

• dependency-name: python-semantic-release/python-semantic-release
  dependency-type: direct:production
  update-type: version-update:semver-minor
  ...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (9c3ffac)

• chore: make pyproject parsable by dependabot (#477)

Signed-off-by: Jan Kowalleck <[email protected]> (c4eaaa5)

Documentation

• docs: revisit project meta (#475)

Signed-off-by: Jan Kowalleck <[email protected]> (c3254d0)

• docs: fix RTFD build (#476)

Signed-off-by: Jan Kowalleck <[email protected]> (b9fcfb4)

Unknown

• "chore(deps): revert bump python-semantic-release/python-semantic-release (#474)"

This reverts commit 9c3ffac.

Signed-off-by: Jan Kowalleck <[email protected]> (aae7304)

---

What's Changed

• docs: fix RTFD build by @jkowalleck in #476
• docs: revisit project meta by @jkowalleck in #475
• chore: make pyproject parsable by dependabot by @jkowalleck in #477
• chore(deps): bump python-semantic-release/python-semantic-release from 8.0.8 to 8.3.0 by @dependabot in #474

Full Changelog: v5.0.0...v5.0.1

v5.0.0

BREAKING CHANGES

• Dropped support for python<3.8 (#436 via #441; enable #433)
• Reworked license related models, collections, and factories (#365 via #466)
• Behavior
  • Method model.bom.Bom.validate() will throw exception.LicenseExpressionAlongWithOthersException, if detecting invalid license constellation (#453 via #452)
  • Fixed tuple comparison when unequal lengths (via #461)
• API
  • Enum schema.SchemaVersion is no longer string-like (#442 via #447)
  • Enum schema.OutputVersion is no longer string-like (#442 via #447)
  • Abstract class output.BaseOutput requires implementation of new method output_format (#446 via #447)
  • Abstract method output.BaseOutput.output_as_string() got new optional parameter indent (#437 via #458)
  • Abstract method output.BaseOutput.output_as_string() accepts arbitrary kwargs (via #458, #462)
  • Removed class factory.license.LicenseChoiceFactory (via #466)
    The old functionality was integrated into factory.license.LicenseFactory.
  • Method factory.license.LicenseFactory.make_from_string()'s parameter name_or_spdx was renamed to value (via #466)
  • Method factory.license.LicenseFactory.make_from_string()'s return value can also be a LicenseExpression (#365 via #466)
    The behavior imitates the old factory.license.LicenseChoiceFactory.make_from_string()
  • Renamed class module.License to module.license.DisjunctliveLicense (#365 via #466)
  • Removed class module.LicenseChoice (#365 via #466)
    Use dedicated classes module.license.DisjunctliveLicense and module.license.LicenseExpression instead
  • All occurrences of models.LicenseChoice were replaced by models.licenses.License (#365 via #466)
  • All occurrences of SortedSet[LicenseChoice] were specialized to models.license.LicenseRepository (#365 via #466)

Fixed

• Serialization of multy-licenses (#365 via #466)
• Detect unused "dependent" components in model.bom.validate() (via #464)

Changed

• Updated latest supported list of supported SPDX license identifiers (via #433)
• Shipped schema files are moved to a protected space (via #433)
  These files were never intended for public use.
• XML output uses a default namespace, which makes results smaller. (#438 via #458)

Added

• Support for Python 3.12 (via #460)
• JSON- & XML-Validators (#432, #446 via #433, #448)
  The functionality might require additional dependencies, that can be installed with the extra "validation".
  See the docs in section "Installation" for details.
• JSON & XML can be generated in a more human-friendly form (#437, #438 via #458)
• Type hints, typings & overloads for better integration downstream (via #463)
• API
  • New function output.make_outputter() (via #469)
    This replaces the deprecated function output.get_instance().
  • New sub-package validation (#432, #446 via #433, #448, #469, #468, #469)
  • New class exception.MissingOptionalDependencyException (#432 via #433)
  • New class exception.LicenseExpressionAlongWithOthersException (#453 via #452)
  • New dictionaries output.{json,xml}.BY_SCHEMA_VERSION (#446 via #447)
  • Existing implementations of class output.BaseOutput now have a new method output_format (#446 via #447)
  • Existing implementations of method output.BaseOutput.output_as_string() got new optional parameter indent (#437 via #458)
  • Existing implementations of method output.BaseOutput.output_to_file() got new optional parameter indent (#437 via #458)
  • New method factory.license.LicenseFactory.make_with_expression() (via #466)
  • New class model.license.DisjunctiveLicense (#365 via #466)
  • New class model.license.LicenseExpression (#365 via #466)
  • New class model.license.LicenseRepository (#365 via #466)
  • New class serialization.LicenseRepositoryHelper (#365 via #466)

Deprecated

• Function output.get_instance() might be removed, use output.make_outputter() instead (via #469)

Tests

• Added validation tests with official CycloneDX schema test data (#432 via #433)
• Use proper snapshots, instead of pseudo comparison (#437 via #464)
• Added regression test for bug #365 (via #466, #467)

Misc

• Dependencies: bumped py-serializable@^0.15.0, was @^0.11.1 (via #458, #463, #464, #466)
• Style: streamlined quotes and strings (via #472)
• Chore: bumped internal dev- and QA-tools (#436 via #441, #472)
• Chore: added more QA tools to prevent common security issues (via #473)

---

What's Changed

• feat!: v5.0.0 by @jkowalleck in #440

Full Changelog: v4.2.3...v5.0.0

v5.0.0-rc.2

read the full change log.

---

Ci

• ci: revisit coverage reporting

Signed-off-by: Jan Kowalleck <[email protected]> (bc8e30b)

• ci: revisit coverage reporting

Signed-off-by: Jan Kowalleck <[email protected]> (2967f28)

Documentation

• docs: update title

Signed-off-by: Jan Kowalleck <[email protected]> (9373afc)

Feature

• feat: v5.0.0-rc.2

Signed-off-by: Jan Kowalleck <[email protected]> (e298726)

Style

• style: qa

Signed-off-by: Jan Kowalleck <[email protected]> (a2af2ed)

• style: streamline code quality (#472)

• raised some dev tools
• added more quality checkers and rules
• documented and applied additional code standards

---

Signed-off-by: Jan Kowalleck <[email protected]> (bb0f7a5)

Unknown

• reduce imports

Signed-off-by: Jan Kowalleck <[email protected]> (d09ac36)

• Merge remote-tracking branch 'origin/main' into 5.0.0-dev (c4f7281)

---

What's Changed

• refactor: schema based validator by @jkowalleck in #468
• refactor(DX): rename get_instance() by @jkowalleck in #469
• fix: SPDX-expression-validation internal crashes are cought and handled by @jkowalleck in #471
• style: streamline code quality by @jkowalleck in #472

Full Changelog: v5.0.0-rc.1...v5.0.0-rc.2