CycloneDX · jkowalleck · Sep 23, 2024 · Sep 23, 2024 · Sep 23, 2024 · Sep 23, 2024
@@ -47,3 +47,4 @@ If you're looking for a CycloneDX tool to run to generate (SBOM) software bill-o
    contributing
    support
    changelog
+   upgrading
@@ -0,0 +1,62 @@
+Upgrading to v8
+===============
+
+Version 8 is not backwards compatible. Some behaviours and integrations changed.
+This document covers all breaking changes and should give guidance how to migrate from previous versions.
+
+This document is not a full :doc:`change log <changelog>`, but a migration path.
+
+Add this library to Metadata Tools
+----------------------------------
+
+This library no longer adds itself to the metadata.
+
+Downstream users SHOULD add the following to their BOM build processes,
+to keep track of used libraries during the build process.
+
+.. code-block:: python
+
+    from cyclonedx.builder.this import this_component as cdx_lib_component
+    from cyclonedx.model.bom import Bom
+
+    bom = Bom()
+    bom.metadata.tools.components.add(cdx_lib_component())
+
+Import model Tool
+-----------------
+
+Class `cyclonedx.model.Tool` was moved to :class:`cyclonedx.model.tool.Tool`.
+Therefore, the imports need to be migrated:
+
+Old: ``from cyclonedx.model import Tool``
+
+New: ``from cyclonedx.model.tool import Tool``
+
+Alter Metadata Tools
+--------------------
+
+Property :attr:`cyclonedx.model.bom.BomMetaData.tools` is an instance of :class:`cyclonedx.model.tool.ToolsRepository`, now.
+Therefore, the process of adding new tools needs to be migrated changed.
+
+Old: ``my_bom.metadata.tools.add(my_tool)``
+
+New: ``my_bom.metadata.tools.tools.add(my_tool)``
+
+Alter Vulnerability Tools
+-------------------------
+
+Property :attr:`cyclonedx.model.vulnerability.Vulnerability.tools` is an instance of :class:`cyclonedx.model.tool.ToolsRepository`, now.
+Therefore, the process of adding new tools needs to be migrated changed.
+
+Old: ``my_vulnerability.tools.add(my_tool)``
+
+New: ``my_vulnerability.tools.tools.add(my_tool)``
+
+Set LicenseExpression Acknowledgement
+-------------------------------------
+
+:class:`cyclonedx.model.license.LicenseExpression()` no longer accepts optional arguments in a positional way, but in a key-word way.
+
+Old: ``LicenseExpression(my_exp, my_acknowledgement)``
+
+New: ``LicenseExpression(my_exp, acknowledgement=my_acknowledgement)``
@@ -20,6 +20,7 @@
 
 from packageurl import PackageURL
 
+from cyclonedx.builder.this import this_component as cdx_lib_component
 from cyclonedx.exception import MissingOptionalDependencyException
 from cyclonedx.factory.license import LicenseFactory
 from cyclonedx.model import XsUri
@@ -43,6 +44,8 @@
 # region build the BOM
 
 bom = Bom()
+bom.metadata.tools.components.add(cdx_lib_component())
+
 bom.metadata.component = root_component = Component(
     name='myApp',
     type=ComponentType.APPLICATION,