4.0.2

Fixed

• Typo: "compoer" -> "composer" (#367 via #368)

---

Full Changelog: v4.0.1...v4.0.2

4.0.1

Fixed

• Improved error reporting in case an invalid BOM would be created (via #363)

---

Full Changelog: v4.0.0...v4.0.1

4.0.0

Based on OWASP Software Component Verification Standard for Software Bill of Materials
(SCVS SBOM) criteria, this tool is now capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).
Affective changes based on these SCVS SBOM criteria:

• 2.1 – Added Support for CycloneDX 1.4 (via #250)
• 2.3 – SBOM has a unique identifier (#279 via #250, #353)
• 2.7 – SBOM is timestamped (#112 via #250)
• 2.9 – Accuracy of Inventory was improved (#102, #122, #261, #313 via #250)
• 2.10 – Accuracy of Inventory of all test components was improved (#102, #122, #261, #313 via #250)
• 2.11 – SBOM metadata was enhanced (#171 via #250)
• 2.15 – SPDX license expression detection fixed (#128 via #250)

BREAKING changes

• Removed support for PHP <8.1 (#91, #128 via #250)
• Removed support for Composer <2.3 (#153 via #250)
• CLI
  • Removed deprecated composer command make-bom, call composer CycloneDX:make-sbom instead (#293 via #309)
  • Changed option output-file to default to - now, which causes to print to STDOUT (via #250)
  • Removed option exclude-dev in favor of new option omit (via #250)
  • Removed option exclude-plugins in favor of new option omit (via #250)
  • Removed option no-version-normalization (#102 via #250)
• SBOM results
  • Components' version is no longer artificially normalized (#102 via #250)
• Dependencies
  • Requires cyclonedx/cyclonedx-library:^2.1, was :^1.4.2 (#128 via #250, #353)

Migration & Details

Read the full list of changes and details here:
https://github.com/CycloneDX/cyclonedx-php-composer/blob/v4.0.0/HISTORY.md#400---details

---

Full Changelog: v3.11.0...v4.0.0

4.0.0-RC2

v4 - Release Candidate 2

Changelog

Changes from RC1 to RC2: v4.0.0-RC1...v4.0.0-RC2

• Fix: BOM result's components have pURL's, again (via #352)
• Bumped dependency to cyclonedx/cyclonedx-library:^2.1, was 2.0.0-RC1 (via #343, #353)
• Enhanced the docs (via #336, #348, #349)
• Internal refactoring & more tests (via #338, #352)

See the full v4 changelog: https://github.com/CycloneDX/cyclonedx-php-composer/blob/v4.0.0-RC2/HISTORY.md#400---unreleased

Installation

As a global Composer plugin:

composer global require cyclonedx/cyclonedx-php-composer:4.0.0-RC2

As a development dependency of the current project:

composer require --dev cyclonedx/cyclonedx-php-composer:4.0.0-RC2

---

Full Changelog: v3.11.0...v4.0.0-RC2

4.0.0-RC1

v4 - Release Candidate 1

Changelog

See https://github.com/CycloneDX/cyclonedx-php-composer/blob/v4.0.0-RC1/HISTORY.md#400---unreleased

Installation

As a global Composer plugin:

composer global require cyclonedx/cyclonedx-php-composer:4.0.0-RC1

As a development dependency of the current project:

composer require --dev cyclonedx/cyclonedx-php-composer:4.0.0-RC1

---

Full Changelog: v3.11.0...v4.0.0-RC1

3.11.0

Changed

• CLI via composer make-bom became deprecated, use composer CycloneDX:make-sbom instead. (#293 via #308)
  The composer command make-bom will be removed in the next major version.

3.10.2

Maintenance Release.

Legal:

• Transferred copyright to OWASP Foundation. (via #244)

3.10.1

Maintenance release.

3.10.0

Changed

• Raised dependency cyclonedx/cyclonedx-library:^1.4.2, was cyclonedx/cyclonedx-library:^1.3.1. (via #192)

Misc

• Adjusted internal typing and typehints. (via #192)
• Improved compatibility to Composer v2.3 (via #212)

3.9.2

Fixed

• ExternalReferences fetched from composer's support.email are correctly prefixed with "mailto:". (via #161)
  Value was unmodified in the past.