3.2.0

Changed

• CLI via composer make-bom
  • All informational/error output will appear on STDERR, was STDOUT.
    Output of the SBoM might still happen on STDOUT.
    This makes utilization of STDOUT via --output-file=- more flexible (pipe, redirect)
    whilst verbosity can be increased via -v.

Added

• CLI via composer make-bom
  • Added an optional argument composer-file.
    If given, then the SBoM is generated based on that file instead of the file in the current working directory.
    This enables the plugin to analyze projects outside the plugin's own setup.

Fixed

• Fixed detection of invalid/outdated composer lock file.
• Fixed a rare case that caused the CLI to crash unexpectedly, if the composer lock file was unexpected.

Misc

• Added composer keywords.
• Refactored the plugin's internals.
• Added more tests for internals.

3.1.1

maintenance release

Misc

• Updated some documentation.
• Bumped some dev-tools.
• Added normalizer for composer.json files.

3.1.0

Feature release

Added

• CLI via composer make-bom
  • Per default the command will validate the resulting SBoM before writing it to file/stdOut.
  • Added a switch --no-validate to disable result validation.
  • When the verbosity is at "debug" level, then detailed debug info will be put out.
    This should help to find validation issues.
• Validation classes/methods to test SBoM
  in XML and JSON format
  for spec 1.1, 1.2, 1.3

3.0.0

Breaking Changes

• Now requires php ^7.3 || ^8.0, was ^7.1 || ^8.0.
• Now requires composer v2 - composer-plugin-api:^2.0, was composer-plugin-api:^1.1||^2.0.
• CLI via composer make-bom
  • Now defaults to the latest supported version of CycloneDX spec: 1.3
    See option --spec-version.
  • Deprecated switch --json was removed.
    Use option --output-format=JSON instead.
• Components' license in SpdxLicenseExpression format are no longer split into disjunctive licenses.
  They are still used properly in the resulting output file.
• Complete rewrite/refactor.
  Expect library classes/methods/functions to be removed, renamed or incompatible to previous versions - see the source for changes.

Added

• CLI
  • Output is less verbose per default. Can be increased via -v, -vv, -vvv.
  • Support for output to STDOUT. Use option --output-file=-.
  • Added an optional option --spec-version for the CycloneDX spec version.
    Supported values: "1.1", "1.2", "1.3".
    Defaults to "1.3".
• Support for JSON output format.
  JSON support was a preview before and became a basic part of the plugin now.

Removed

• This plugin no longer supports php<7.3.
• This plugin no longer supports composer v1.
• CLI
  • Deprecated switch --json was removed.
    Use option --output-format=JSON instead.

Fixed

• Some cases when the JSON SBoM generator created schema-invalid data.

Misc

• Utilize package-url/packageurl-php
  over own implementation.
• Added more tests during the build process.
• Added Psalm & PHP-CS-Fixer to the CI chain and fixed all findings accordingly.
• Added a demo run of the plugin to the CI chain.

2.1.1

Maintenance release.

2.1.0

Added

• CLI got an option --output-format to decide the output format. (via #80)
  Supported values: "XML", "JSON".
  Defaults to "XML".
  The use of this new option replaces the switch --json.

Deprecated

• CLI switch --json was marked as deprecated. (via #80)
  Use option --output-format=JSON instead.

2.0.3

Misc

• Removed php-cs-fixer config from dist release.

2.0.2

Misc

• Applied latest rules of php-cs-fixer to the code. (via [#78])

2.0.1

Added

• Support for slim dist-builds (via #24)

Misc

• Pinned dev-requirements to exact versions to ensure reproducible tests. (via #37)
• Added (code) quality tests to the dev-process. (see #23)
• CI's unit-tests just run reasonable combinations of OperatingSystem, PhpVersions, dependencies. (via #34, #54)
• applied coding standards to all php files. (via #40)

2.0.0

Breaking changes

• Removed support for PHP < 7.1 (via #17)

Added

• Support for PHP 8 (via #17)