Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat!: v8.0.0 #665

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

feat!: v8.0.0 #665

wants to merge 21 commits into from

Conversation

jkowalleck
Copy link
Member

@jkowalleck jkowalleck commented Aug 20, 2024
edited
Loading

BREAKING Changes

  • Removed cyclonedx.mode.ThisTool, utilize cyclonedx.builder.this.this_tool() instead.
  • Moved cyclonedx.model.Tool to cyclonedx.model.tool.Tool.
  • Property cyclonedx.mode.bom.BomMetaData.tools is of type cyclonedx.model.tool.ToolRepository now, was SortedSet[cyclonedx.model.Tool].
    The getter will act accordingly; the setter might act in a backwards-compatible way.
  • Property cyclonedx.mode.vulnerability.Vulnerability.tools is of type cyclonedx.model.tool.ToolRepository now, was SortedSet[cyclonedx.model.Tool].
    The getter will act accordingly; the setter might act in a backwards-compatible way.
  • cyclonedx.model.license.LicenseExpression() accepts optional argument acknowledgement only as key-word argument, no longer as positional argument.

Changes

  • Constructor of cyclonedx.model.bom.BomMetaData also accepts an instance of cyclonedx.model.tool.ToolRepository for argument tools
  • Constructor of cyclonedx.model.bom.BomMetaData no longer adds this very library as a tool.
    Downstream users SHOULD add it manually, like my-bom.metadata.tools.components.add(cyclonedx.builder.this.this_component()).

Fixes

  • Deserialization of CycloneDX that do not include tools in the metadata are no longer unexpectedly modified/altered.

Added

Enabled Metadata Tools representation and serialization in accordance with CycloneDX 1.5

  • New class cyclonedx.model.tool.ToolRepository.
  • New function cyclonedx.builder.this.this_component() -- representation of this very python library as a Component.
  • New function cyclonedx.builder.this.this_tool() -- representation of this very python library as a Tool.
  • New function cyclonedx.model.tool.Tool.from_component().

Dependencies

  • Raised runtime dependency py-serializable>=1.1.1,<2, was >=1.1.0,<2.

Docs & Migration Paths

rendered docs preview: https://cyclonedx-python-library.readthedocs.io/en/8.0.0-dev/

fixes #561
fixes #594
fixes #673
fixes #681
includes #595
includes #635
includes #649
includes #674
includes #682
includes #684
includes #686
includes #687

@jkowalleck
feat!: 8.0.0
9ba4b8e 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck marked this pull request as draft August 20, 2024 07:42
@jkowalleck jkowalleck requested a review from a team August 20, 2024 07:42
@codacy-production Codacy Production
Copy link

codacy-production bot commented Aug 20, 2024
edited
Loading

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
+0.29% 100.00% (target: 80.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (46321c7) 4512 4193 92.93%
Head commit (2e16408) 4634 (+122) 4320 (+127) 93.22% (+0.29%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#665) 201 201 100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more

@jkowalleck jkowalleck changed the title feat!: 8.0.0 feat!: v8.0.0 Aug 20, 2024
jkugler and others added 2 commits September 6, 2024 20:27
@jkugler @jkowalleck
feat!: Add component and services for tools (#635)
1f5fd7a 
CycloneDX spec 1.5 deprecated an array of tools in bom.metadata and
instead prefers object with an array of components and an array of
services.

This PR implements that.

This works de-serializing a Syft SBOM with a tool section like so:
```
  "metadata": {
    "timestamp": "2024-06-10T13:06:52-08:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "1.4.1"
        }
      ]
    },
    "component": {
      "bom-ref": "08329a07b4eb8eac",
      "type": "file",
      "name": "./"
    }
  },
```
Next up: docs, XML (de)serialization code, and tests.

fixes #561

---------

Signed-off-by: Joshua Kugler <tek30584@adobe.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
Merge branch 'main' into 8.0.0-dev
0ec785d
@jkowalleck jkowalleck added enhancement New feature or request schema 1.5 labels Sep 6, 2024
@jkowalleck
feat: don't add self to metafata.tools (#674)
e0a153f 
fixes #673

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
refactor!: LicenseExpression() optional args are named args (#595)
0172564 
fixes #594

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
feat!: this-builder (#649)
cf5d2c7 
reworked `ThisTool` for #635

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
refactor: simplify .builder.this.this_tool
9940cf9 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
tests: test builder this (#675)
e4ad3bc 
QA for #649

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck added QA Quality Assurance dependencies and removed dependencies labels Sep 17, 2024
@jkowalleck
Merge branch 'main' into 8.0.0-dev
735c800 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
Merge branch 'main' into 8.0.0-dev
3d1548a
@jkowalleck
fix: assert copyright headers
bef268b 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
Merge branch 'main' into 8.0.0-dev
c123aff
@jkowalleck jkowalleck marked this pull request as ready for review September 18, 2024 13:57
@jkowalleck jkowalleck added this to the 8.0.0 milestone Sep 18, 2024
jkowalleck and others added 2 commits September 23, 2024 10:31
@jkowalleck
Merge branch 'main' into 8.0.0-dev
39514b3 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
chore: trusted publishing (#682)
96386cc 
fixes #681

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: semantic-release <semantic-release@bot.local>
Co-authored-by: semantic-release <semantic-release@bot.local>
@jkowalleck
docs: migrate to v8.0.0 (#684)
0ac84d7 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck added the documentation Improvements or additions to documentation label Sep 23, 2024
@jkowalleck
Copy link
Member Author

@jkugler,
A preview release has been published: https://pypi.org/project/cyclonedx-python-lib/8.0.0a1/
Here is the migration path: https://cyclonedx-python-library.readthedocs.io/en/8.0.0-dev/upgrading.html

@jkowalleck jkowalleck mentioned this pull request Sep 23, 2024
Draft
@jkowalleck
chore(dev-deps): use tomli (#685)
733ba0e 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
Copy link
Member Author

downstream integration succeeded, as of CycloneDX/cyclonedx-python#796

will publish a release candidate, soon

chore(release): 8.0.0-rc.1
48b5bc3 
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <semantic-release@bot.local>
@jkowalleck
Copy link
Member Author

Release candidate 1 is available as of https://pypi.org/project/cyclonedx-python-lib/8.0.0rc1/
Here is the migration path: https://cyclonedx-python-library.readthedocs.io/en/8.0.0-dev/upgrading.html

jkowalleck and others added 4 commits September 27, 2024 12:59
@jkowalleck
rename ToolsRepository -> ToolRepository (#687)
e00af17 
Item class of repository is to be called in singular(`Tool`).

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
fix: ToolRepository serialize migrated tools deduplicated (#686)
35ccdd1 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
docs
2e16408 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
chore(release): 8.0.0-rc.2
ce4a149 
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <semantic-release@bot.local>
@jkowalleck
Copy link
Member Author

jkowalleck commented Sep 27, 2024
edited
Loading

Release candidate 2 is available as of https://pypi.org/project/cyclonedx-python-lib/8.0.0rc2/
Here is what changed: https://github.com/CycloneDX/cyclonedx-python-lib/releases/tag/v8.0.0-rc.2
Here is the migration path: https://cyclonedx-python-library.readthedocs.io/en/8.0.0-dev/upgrading.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
breaking change chore documentation Improvements or additions to documentation enhancement New feature or request QA Quality Assurance schema 1.5
Projects
None yet
Milestone
8.0.0
2 participants
@jkowalleck @jkugler