CHANGELOG.md

Changelog

v2.7.0 (2022-07-21)

Feature

• Support for CycloneDX schema 1.4.2 - adds vulnerability.properties to the schema (32e7929)
• Support for CycloneDX schema version 1.4.2 (db7445c)
• Added updated CycloneDX 1.4.2 schemas (7fb27ae)

v2.6.0 (2022-06-20)

Feature

• Reduce unnessessarry type casting of set/SortedSet (#203) (089d971)

v2.5.2 (2022-06-15)

Fix

• Add expected lower-than comparators for OrganizationalEntity and VulnerabilityCredits (#248) (0046ee1)

v2.5.1 (2022-06-10)

Fix

• Add missing Vulnerability comparator for sorting (#246) (c3f3d0d)

v2.5.0 (2022-06-10)

Feature

• Use SortedSet in model to improve reproducibility - this will provide predictable ordering of various items in generated CycloneDX documents - thanks to @RodneyRichardson (8a1c404)

Documentation

• Fix typo "This is out" -> "This is our" (ef0278a)

v2.4.0 (2022-05-17)

Feature

• deps: Remove unused typing-extensions constraints (2ce358a)

v2.3.0 (2022-04-20)

Feature

• Add support for Dependency Graph in Model and output serialisation (ea34513)

v2.2.0 (2022-04-12)

Feature

• Bump XML schemas to latest fix version for 1.2-1.4 - see: (bd2e756)
• Bump JSON schemas to latest fix verison for 1.2 and 1.3 - see: (bd6a088)

v2.1.1 (2022-04-05)

Fix

• Prevent error if version not set (b9a84b5)
• version being optional in JSON output can raise error (ba0c82f)

v2.1.0 (2022-03-28)

Feature

• Output errors are verbose (bfe8fb1)

v2.0.0 (2022-02-21)

Feature

• Bump dependencies (da3f0ca)
• Completed work on #155 (#172) (a926b34)
• Support complete model for bom.metadata (#162) (2938a6c)
• Support for bom.externalReferences in JSON and XML #124 (1b733d7)
• Complete support for bom.components (#155) (32c0139)
• Support services in XML BOMs (9edf6c9)

Fix

• license_url not serialised in XML output #179 (#180) (f014d7c)
• Component.bom_ref is not Optional in our model implementation (in the schema it is) - we generate a UUID if bom_ref is not supplied explicitly (5c954d1)
• Temporary fix for __hash__ of Component with properties #153 (a51766d)
• Further fix for #150 (1f55f3e)
• Regression introduced by first fix for #150 (c09e396)
• Components with no version (optional since 1.4) produce invalid BOM output in XML #150 (70d25c8)
• expression not supported in Component Licsnes for version 1.0 (15b081b)

Breaking

• Adopt PEP-3102 (da3f0ca)
• Optional Lists are now non-optional Sets (da3f0ca)
• Remove concept of DEFAULT schema version - replaced with LATEST schema version (da3f0ca)
• Added BomRef data type (da3f0ca)

v1.3.0 (2022-01-24)

Feature

• bom-ref for Component and Vulnerability default to a UUID (#142) (3953bb6)

v1.2.0 (2022-01-24)

Feature

• Add CPE to component (#138) (269ee15)

v1.1.1 (2022-01-19)

Fix

• Bump dependencies (#136) (18ec498)

v1.1.0 (2022-01-13)

Feature

• Add support for bom.metadata.component (#118) (1ac31f4)

v1.0.0 (2022-01-13)

Support for CycloneDX schema version 1.4 (#108)

Breaking Changes

Support for CycloneDX 1.4. This includes:

• Support for tools having externalReferences
• Allowing version for a Component to be optional in 1.4
• Support for releaseNotes per Component
• Support for the core schema implementation of Vulnerabilities (VEX)

Features

• $schema is now included in JSON BOMs
• Concrete Parsers how now been moved into downstream projects to keep this libraries focus on modelling and outputting CycloneDX - see https://github.com/CycloneDX/cyclonedx-python

Fixes

• Unit tests now include schema validation (we've left schema validation out of the core library due to dependency bloat)
• Ensure schema is adhered to in 1.0
• URIs are now used throughout the library through a new XsUri class to provide URI validation

Other

• Documentation is now hosted on readthedocs.org (https://cyclonedx-python-library.readthedocs.io/)
• Added reference to release of this library on Anaconda

v0.12.3 (2021-12-15)

Fix

• Removed requirements-parser as dependency (temp) as not available for Python 3 as Wheel (#98) (3677d9f)

v0.12.2 (2021-12-09)

Fix

• Tightened dependency packageurl-python (#95) (eb4ae5c)

v0.12.1 (2021-12-09)

Fix

• Further loosened dependency definitions (8bef6ec)

v0.12.0 (2021-12-09)

Feature

• Loosed dependency versions to make this library more consumable (55f10fb)

v0.11.1 (2021-11-10)

Fix

• Constructor for Vulnerability to correctly define ratings as optional (395a0ec)

v0.11.0 (2021-11-10)

Feature

• Typing & PEP 561 (9144765)

v0.10.2 (2021-10-21)

Fix

• Correct way to write utf-8 encoded files (49f9369)

v0.10.1 (2021-10-21)

Fix

• Ensure output to file is UTF-8 (a10da20)
• Ensure output to file is UTF-8 (193bf64)

v0.10.0 (2021-10-20)

Feature

• Add support for Conda (bd29c78)

v0.9.1 (2021-10-19)

Fix

• Missing check for Classifiers in Environment Parser (b7fa38e)

v0.9.0 (2021-10-19)

Feature

• Add support for parsing package licenses when using the Environment Parsers (c414eaf)

v0.8.3 (2021-10-14)

Fix

• Coding standards violations (00cd1ca)
• Handle Pipfile.lock dependencies without an index specified (26c62fb)

v0.8.2 (2021-10-14)

Fix

• Add namespace and subpath support to Component to complete PackageURL Spec support (780adeb)

v0.8.1 (2021-10-12)

Fix

• Multiple hashes being created for an externalRefernce which is not as required (970d192)

v0.8.0 (2021-10-12)

Feature

• Add support for externalReferneces for Components and associated enhancements to parsers to obtain information where possible/known (a152852)

v0.7.0 (2021-10-11)

Feature

• Support for pipenv.lock file parsing (68a2dff)

v0.6.2 (2021-10-11)

Fix

• Added ability to add tools in addition to this library when generating CycloneDX + plus fixes relating to multiple BOM instances (e03a25c)

v0.6.1 (2021-10-11)

Fix

• Better methods for checking if a Component is already represented in the BOM, and the ability to get the existing instance (5fee85f)

v0.6.0 (2021-10-11)

Feature

• Helper method for representing a File as a Component taking into account versioning for files as per https://github.com/CycloneDX/cyclonedx.org/issues/34 (7e0fb3c)
• Support for non-PyPi Components - PackageURL type is now definable when creating a Component (fde79e0)

v0.5.0 (2021-10-11)

Feature

• Add support for tool(s) that generated the SBOM (7d1e6ef)

Fix

• Bumped a dependency version (efc1053)

v0.4.1 (2021-09-27)

Fix

• Improved handling for requirements.txt content without pinned or declared versions (7f318cb)

v0.4.0 (2021-09-16)

Feature

• Support for localising vectors (i.e. stripping out any scheme prefix) (b9e9e17)
• Helper methods for deriving Severity and SourceType (6a86ec2)

Fix

• Removed print call (8806553)
• Relaxed typing of parameter to be compatible with Python < 3.9 (f9c7990)
• Removed print call (d272d2e)
• Remove unused commented out code (ba4f285)

v0.3.0 (2021-09-15)

Feature

• Adding support for extension schema that descriptions vulnerability disclosures (d496695)

v0.2.0 (2021-09-14)

Feature

• Added helper method to return a PackageURL object representing a Component (367bef1)

Fix

• Whitespace on empty line removed (cfc952e)

v0.1.0 (2021-09-13)

Feature

• Add poetry support (f3ac42f)

v0.0.11 (2021-09-10)

Fix

• test: Test was not updated for revised author statement (d1c9d37)
• build: Test failure and dependency missing (9a2cfe9)
• build: Removed artefacts associtated with non-poetry build (f9119d4)

v0.0.10 (2021-09-08)

Fix

• Add in pypi badge (6098c36)

v0.0.9 (2021-09-08)

Fix

• Additional info to poetry, remove circleci (2fcfa5a)

v0.0.8 (2021-09-08)

Fix

• Initial release to pypi, tell poetry to include cyclonedx package (a030177)

v0.0.7 (2021-09-08)

Fix

• Release with full name (4c620ed)

v0.0.6 (2021-09-08)

Fix

• Initial release to pypi (99687db)

v0.0.5 (2021-09-08)

v0.0.4 (2021-09-08)

v0.0.3 (2021-09-08)

v0.0.2 (2021-09-08)