3.9.1

Fixed

• XML validation error for ExternalReference. (#158 via #159)

Changed

• The ValidationError message requests reporting with the "ValidationError" issue template. (via #160)
  No template was used in the past.

3.9.0

Added

• The resulting SBoM hold ExternalReferences as fetched from package descriptions. (via #145)

3.8.0

Fixed

• Compatibility with composer v2.0.0 to v2.0.4 was improved. (via #152)
• Possible crashes when composer was not able to detect component's version properly.

3.7.0

Added

• CLI got a new switch --no-version-normalization. (via #138)
  That allows to omit component version-string normalization.
  Per default this plugin will normalize version strings by stripping leading "v".
  This is a compatibility-switch. The next major-version of this plugin will not modify component versions. (see #102)

3.6.0

Added

• CLI got a new option --mc-version. (via #133)
  That allows to set the main component's version in the resulting SBoM,
  so that the auto-detection can be overridden.

Fixed

• The resulting SBoM's main component's purl does not get a version assigned,
  if the version auto-detection fails. (via #134)

3.5.0

Changed

The "Core" library was moved to an own package: https://packagist.org/packages/cyclonedx/cyclonedx-library
The new external package/library is a one-to-one copy of the original code from this project, which now is a dependency/required of this project. So usage/leverage of the original code is still possible without any changes for third parties.
See #87 for details.

3.4.1

Fixed

Improved compatibility to composer.

3.4.0

Changed

• Core library
  • Some repository data-types are lists of unique items, so no duplicates are kept.
    Affected classes/data-types :
    • ComponentRepository
    • DisjunctiveLicenseRepository
    • ToolRepository

Added

• CLI via composer make-bom
  • Will try to populate dependencies of the SBoM result.
• Core library
  • Added BomRef model to link bom elements in general.
    Added BomRefRepository data type as a collection of unique BomRef.
  • Added bomRef to Component model to link components as dependencies.
    Added dependencies to Component model.
  • Added ability to serialize dependencies to XML.
  • Added ability to serialize dependencies to JSON.

Misc

• Moved development docs to docs/dev/.
• Refactored the plugin's internals.

3.3.1

Fixed

• CLI via composer make-bom
  • Will ignore "AliasPackages" when generating the SBoM, since their alias-target is part of the SBoM already.

3.3.0

Changed

• Core library
  • SerializersGroups will skip unsupported elements silently, instead of forwarding caught exceptions.
    This results in an overall smoother SBoM generation process, just as intended.

Added

• CLI via composer make-bom
  • Will try to populate metadata of the SBoM result.
• Core library
  • Added models for spec elements: metadata, tools, tool
  • Added ability to serialize metadata to XML.
  • Added ability to serialize metadata to JSON.

Fixed

• CLI via composer make-bom
  • composer packages of type project or composer-plugin
    result as CycloneDX component of type application, was library.

Misc

• Updated demos/examples to reflect current state of SBoM results including metadata.
• Split some tests to more fine-grained scenarios.