feat!: v8.0.0

.github/workflows/release.yml

@@ -120,7 +120,7 @@ jobs:
         # see https://github.com/pypa/gh-action-pypi-publish
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          password: ${{ secrets.PYPI_TOKEN }}
+          attestations: true
 
       - name: Publish package distributions to GitHub Releases
         if: steps.release.outputs.released == 'true'

CHANGELOG.md

@@ -2,8 +2,135 @@
 
 
 
+## v8.0.0-rc.2 (2024-09-27)
+
+### Fix
+
+* fix: ToolRepository serialize migrated tools deduplicated (#686)
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`35ccdd1`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/35ccdd1bfec9757457763308d16e1dbf5d9e28e9))
+
+### Unknown
+
+* docs
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`2e16408`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/2e16408098a3c649b80fb407d4f43aaa34aee39f))
+
+* rename `ToolsRepository` -> `ToolRepository` (#687)
+
+Item class of repository is to be called in singular(`Tool`).
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`e00af17`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/e00af1739fa6d3933315e96266d96d9b290012ee))
+
+
+## v8.0.0-rc.1 (2024-09-25)
+
+### Chore
+
+* chore(dev-deps): use `tomli` (#685)
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`733ba0e`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/733ba0ebefc7d913290ce32d999620332551e50a))
+
+* chore: trusted publishing (#682)
+
+fixes #681
+
+---------
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
+Signed-off-by: semantic-release <semantic-release@bot.local>
+Co-authored-by: semantic-release <semantic-release@bot.local> ([`96386cc`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/96386cc88a65f85c7040400dd739aecde7f4d184))
+
+### Documentation
+
+* docs: migrate to v8.0.0 (#684)
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`0ac84d7`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/0ac84d76f2e526f329937ab004480405492e7417))
+
+### Fix
+
+* fix: assert copyright headers
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`bef268b`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/bef268b7abe2c3f343274d7789906c99c80e9df9))
+
+### Unknown
+
+* Merge branch 'main' into 8.0.0-dev
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`39514b3`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/39514b331eef98fbf5208ead341060831f8acddf))
+
+* Merge branch 'main' into 8.0.0-dev ([`c123aff`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/c123aff4bd479ec0f5f1982725ffe8901afb87c9))
+
+
 ## v7.6.1 (2024-09-18)
 
+### Breaking
+
+* feat!: this-builder (#649)
+
+reworked `ThisTool` for #635
+
+---------
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`cf5d2c7`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/cf5d2c7e43883967c5d5837f465ecac5a8cc034e))
+
+* refactor!: `LicenseExpression()` optional args are named args (#595)
+
+fixes #594
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`0172564`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/0172564d5f9529e7ce543da434969b552833de31))
+
+* feat!: Add component and services for tools (#635)
+
+CycloneDX spec 1.5 deprecated an array of tools in bom.metadata and
+instead prefers object with an array of components and an array of
+services.
+
+This PR implements that.
+
+This works de-serializing a Syft SBOM with a tool section like so:
+```
+  "metadata": {
+    "timestamp": "2024-06-10T13:06:52-08:00",
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "author": "anchore",
+          "name": "syft",
+          "version": "1.4.1"
+        }
+      ]
+    },
+    "component": {
+      "bom-ref": "08329a07b4eb8eac",
+      "type": "file",
+      "name": "./"
+    }
+  },
+```
+Next up: docs, XML (de)serialization code, and tests.
+
+fixes #561
+
+---------
+
+Signed-off-by: Joshua Kugler <tek30584@adobe.com>
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
+Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`1f5fd7a`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/1f5fd7a6be94d93d2260622d39ea01cd74614402))
+
+* feat!: 8.0.0
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`9ba4b8e`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/9ba4b8e5d255c8dba51df214786328bfa700291c))
+
+### Feature
+
+* feat: don't add self to `metafata.tools` (#674)
+
+fixes #673
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`e0a153f`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/e0a153fbd553dcf29343d72e361c1cc9122c63b4))
+
 ### Fix
 
 * fix: file copyright headers (#676)
@@ -14,6 +141,30 @@ correct headers
 
 Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`35e00b4`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/35e00b4ee5a9306b9e97b011025409bcbfcef309))
 
+### Refactor
+
+* refactor: simplify `.builder.this.this_tool`
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`9940cf9`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/9940cf95e619d67a2a15ff7e6784513059e6ab5e))
+
+### Unknown
+
+* Merge branch 'main' into 8.0.0-dev ([`3d1548a`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/3d1548abf5db45764a22fcca96493574f96ff693))
+
+* Merge branch 'main' into 8.0.0-dev
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`735c800`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/735c8003ce88b0c6efa802ccd806f17d22b4df89))
+
+* tests: test builder this (#675)
+
+QA for https://github.com/CycloneDX/cyclonedx-python-lib/pull/649
+
+---------
+
+Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`e4ad3bc`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/e4ad3bce1f97f77d7c3468765e47dd15929cbbcd))
+
+* Merge branch 'main' into 8.0.0-dev ([`0ec785d`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/0ec785d29abcc215a5a0f6feec9bf16b0994cc92))
+
 
 ## v7.6.0 (2024-08-14)
 

cyclonedx/__init__.py

@@ -22,4 +22,4 @@
 
 # !! version is managed by semantic_release
 # do not use typing here, or else `semantic_release` might have issues finding the variable
-__version__ = "7.6.1"  # noqa:Q000
+__version__ = "8.0.0-rc.2"  # noqa:Q000

cyclonedx/builder/__init__.py

@@ -0,0 +1,20 @@
+# This file is part of CycloneDX Python Library
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+"""
+Builders used in this library.
+"""

cyclonedx/builder/this.py

@@ -0,0 +1,83 @@
+# This file is part of CycloneDX Python Library
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+"""Representation of this very python library."""
+
+__all__ = ['this_component', 'this_tool', ]
+
+from .. import __version__ as __ThisVersion  # noqa: N812
+from ..model import ExternalReference, ExternalReferenceType, XsUri
+from ..model.component import Component, ComponentType
+from ..model.license import DisjunctiveLicense, LicenseAcknowledgement
+from ..model.tool import Tool
+
+# !!! keep this file in sync with `pyproject.toml`
+
+
+def this_component() -> Component:
+    """Representation of this very python library as a :class:`Component`."""
+    return Component(
+        type=ComponentType.LIBRARY,
+        group='CycloneDX',
+        name='cyclonedx-python-lib',
+        version=__ThisVersion or 'UNKNOWN',
+        description='Python library for CycloneDX',
+        licenses=(DisjunctiveLicense(id='Apache-2.0',
+                                     acknowledgement=LicenseAcknowledgement.DECLARED),),
+        external_references=(
+            # let's assume this is not a fork
+            ExternalReference(
+                type=ExternalReferenceType.WEBSITE,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/#readme')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.DOCUMENTATION,
+                url=XsUri('https://cyclonedx-python-library.readthedocs.io/')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.VCS,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.BUILD_SYSTEM,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/actions')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.ISSUE_TRACKER,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/issues')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.LICENSE,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.RELEASE_NOTES,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md')
+            ),
+            # we cannot assert where the lib was fetched from, but we can give a hint
+            ExternalReference(
+                type=ExternalReferenceType.DISTRIBUTION,
+                url=XsUri('https://pypi.org/project/cyclonedx-python-lib/')
+            ),
+        ),
+        # to be extended...
+    )
+
+
+def this_tool() -> Tool:
+    """Representation of this very python library as a :class:`Tool`."""
+    return Tool.from_component(this_component())