v0.9.1

Changelog

Fixes

• 6f0e0cf: fix: nil pointer dereference during evidence conversion (@nscuro)
• ce43b6f: fix: make linter happy (@nscuro)
• 5d799e6: fix: remove deprecated goreleaser flag (@nscuro)

Building and Packaging

• 6d5bcb0: build(deps): bump actions/checkout from 4.1.6 to 4.1.7 (@dependabot[bot])
• f34fc0c: build(deps): bump actions/setup-go from 5.0.1 to 5.0.2 (@dependabot[bot])
• 71cff22: build(deps): bump gitpod/workspace-go from 8d15123 to 2a9e01c (@dependabot[bot])
• ea69355: build(deps): bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 (@dependabot[bot])
• d5cbdad: build(deps): bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (@dependabot[bot])

v0.9.0

Changelog

Features

• 729c284: feat: Add CycloneDX 1.6 fields swhid and omniborId (@snyk-tim)
• b5d3595: feat: add manufacturer and authors (@snyk-tim)
• c52e698: feat: raise baseline go version to 1.20 (@nscuro)

Fixes

• 9166e10: fix: ioutil -> io (@nscuro)
• 349fc8c: fix: add bom-ref to OrganizationalEntity/Contact (@snyk-tim)
• c97da90: fix: handle breaking changes in skywalking-eyes (@nscuro)

Building and Packaging

• ec6291e: build(deps): bump actions/checkout from 4.1.1 to 4.1.5 (@dependabot[bot])
• 899fe39: build(deps): bump actions/checkout from 4.1.5 to 4.1.6 (@dependabot[bot])
• 8674ed5: build(deps): bump actions/setup-go from 5.0.0 to 5.0.1 (@dependabot[bot])
• db3a114: build(deps): bump apache/skywalking-eyes from 0.4.0 to 0.6.0 (@dependabot[bot])
• a3bd055: build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (@dependabot[bot])
• 1179dd9: build(deps): bump gitpod/workspace-go from 8b9a0f6 to 8d15123 (@dependabot[bot])
• d98494e: build(deps): bump gitpod/workspace-go from 9118b93 to 8b9a0f6 (@dependabot[bot])
• 1e2a3a0: build(deps): bump gitpod/workspace-go from 94ae638 to 9118b93 (@dependabot[bot])
• d4d6e35: build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (@dependabot[bot])
• 521d1ce: build(deps): bump golangci/golangci-lint-action from 4.0.0 to 6.0.1 (@dependabot[bot])
• f1ebafe: build(deps): bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 (@dependabot[bot])

Others

• 16d2143: Fix(1.6): Added missing omitempty in NistQuantumSecurityLevel (@Petzys)
• ffec473: chore: add license header (@mcombuechen)
• 1f8fdcc: feat(1.6): add BOM.Declarations (@mcombuechen)
• 62b5342: feat(1.6): add BOM.Definitions (@mcombuechen)
• c33b9cb: feat(1.6): add CBOM types (@Petzys)
• 10e10c8: feat(1.6): add JSON schema, XML namespace (@mcombuechen)
• 2dc599a: feat(1.6): add License.Acknowledgement (@mcombuechen)
• 7a32fde: feat(1.6): add PostalAddress type (@mcombuechen)
• b8e4529: feat(1.6): add SpecVersion for v1.6 (@mcombuechen)
• c877828: feat(1.6): add environmentalConsiderations (@mcombuechen)
• e0e9c67: feat(1.6): add schema definitions for CycloneDX 1.6 (@mcombuechen)
• b1636c2: feat(1.6): extend EvidenceOccurrence (@mcombuechen)
• b4b3b94: fix(1.6): convert occurrences of OrganizationalEntity (@mcombuechen)
• 9332ca6: fix(1.6): fix json, xml labels on BOM.Definitions (@mcombuechen)

v0.8.0

This release ships with almost complete support for v1.5 of the CycloneDX specification.

The only exception being the extended data flow support, as used in SaaS BOMs.

Unfortunately, there are also breaking changes in this release:

• The type of Metadata.Tools has changed from *[]Tool to *ToolsChoice, to facilitate the deprecation of Tool in the spec
  • ToolsChoice holds both legacy *[]Tool, as well as the new *[]Component and *[]Service fields
  • The Tool type, as well as the ToolsChoice.Tools field are marked as deprecated
  • During encoding and decoding, it is asserted that only one of both options can be present, in accordance with the "One of" constraint of the spec
  • When encoding to lower spec versions than v1.5 (using EncodeVersion), Components and Services are automatically converted to legacy Tools
  • It is strongly recommended to use Components and Services. However, when consuming BOMs, applications should still expect legacy Tools to be present, and handle them accordingly.

Changelog

Fixes

• 64eb0c8: fix: remove format linters that require extra tooling (@nscuro)

Building and Packaging

• 696aa66: build(deps): bump actions/checkout from 3.5.3 to 4.1.0 (@dependabot[bot])
• b50b319: build(deps): bump actions/checkout from 4.1.0 to 4.1.1 (@dependabot[bot])
• 5cad1b0: build(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (@dependabot[bot])
• b091061: build(deps): bump gitpod/workspace-go from d3603c7 to 94ae638 (@dependabot[bot])
• 9e310b6: build(deps): bump gitpod/workspace-go from f37c673 to d3603c7 (@dependabot[bot])
• 89494fd: build(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 (@dependabot[bot])

Others

• 61dd91e: feat(spec1-5): add support for machine learning (@nscuro)
• f831960: feat(spec1-5): update valid-vulnerability test snapshots (@nscuro)
• ffc9a4e: ci: enable more linters (@mmorel-35)
• 3feda75: feat(spec1-5): add additional external reference types (@nscuro)
• bd66a36: feat(spec1-5): add support for CVSSv4 scoring method (@nscuro)
• d597bb9: feat(spec1-5): add support for firstIssued and lastUpdated in vuln analysis (@nscuro)
• 2ae5445: feat(spec1-5): add support for additional compositions and composition identity (@nscuro)
• f856daa: feat(spec1-5): add support for formulation (@nscuro)
• 2fbde0e: feat(spec1-5): add support for identity, occurrences, and callstack evidence (@nscuro)
• 745a35a: feat(spec1-5): add support for licensing (@nscuro)
• b02255f: feat(spec1-5): add support for lifecycles (@nscuro)
• fe3a904: feat(spec1-5): add support for ssvc scoring method (@nscuro)
• 7d2713f: feat(spec1-5): add support for vulnerability proof of concept (@nscuro)
• 25b250a: feat(spec1-5): add support for vulnerability rejected timestamps (@nscuro)
• c7a84ac: feat(spec1-5): handle deprecation of tools (@nscuro)

v0.7.2

This is a bugfix release that ships with minimal support for the CycloneDX v1.5 specification.

Full support is being worked on and planned to be released soon. The progress may be tracked in #90.

The reason for publishing partial support like this is to allow the consumption of v1.5 BOMs, which fails with cyclonedx-go <= v0.7.1.

Warning
The default SpecVersion has been updated to SpecVersion1_5. If your application generates BOMs, and you're not ready (or willing) to distribute BOMs following the v1.5 specification yet, consider using EncodeVersion to generate output for an older version of the spec.

Changelog

Features

• 7128a92: feat: raise baseline go version to 1.18 (@nscuro)

Fixes

• ff719b6: fix: unmarshal bom on v1.5 return invalid specification version (@chen-keinan)

Building and Packaging

• 966c223: build(deps): bump CycloneDX/gh-gomod-generate-sbom from 1.1.0 to 2.0.0 (@dependabot[bot])
• 1e83e85: build(deps): bump actions/checkout from 3.5.0 to 3.5.1 (@dependabot[bot])
• 78f6593: build(deps): bump actions/checkout from 3.5.1 to 3.5.2 (@dependabot[bot])
• 868f6db: build(deps): bump actions/checkout from 3.5.2 to 3.5.3 (@dependabot[bot])
• 5885827: build(deps): bump actions/setup-go from 4.0.0 to 4.0.1 (@dependabot[bot])
• d772b54: build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 (@dependabot[bot])
• 578e862: build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (@dependabot[bot])
• f83e6a7: build(deps): bump gitpod/workspace-go from 2be827f to 910daeb (@dependabot[bot])
• cd7b23a: build(deps): bump gitpod/workspace-go from 910daeb to d7a41f5 (@dependabot[bot])
• 668553d: build(deps): bump gitpod/workspace-go from d7a41f5 to f37c673 (@dependabot[bot])
• d9a5f8c: build(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (@dependabot[bot])
• 66f96df: build(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (@dependabot[bot])
• 8b51c39: build(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (@dependabot[bot])
• e44f7de: build(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (@dependabot[bot])
• 6360fe1: build(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (@dependabot[bot])

Others

• a069906: feat(spec1-5): add initial support for spec v1.5 (@nscuro)
• 67a7567: feat(spec1-5): add licensing, license properties, and license bom-ref (@nscuro)
• d2f3bb9: feat(spec1-5): add lifecycle support (@nscuro)
• eb041b5: feat(spec1-5): add new component types (@nscuro)
• c45ba61: feat(spec1-5): add new external reference types (@nscuro)
• d84947d: feat(spec1-5): add support for annotations (@nscuro)
• 0ba0496: feat(spec1-5): bump schema to 1.5 for round-trip tests (@nscuro)
• 4e20914: misc(dx): add project icon for intellij and goland (@nscuro)

v0.7.1

Changelog

Features

• a1db675: feat: add JSON Schema to JSON output (#79) (@mcombuechen)
• 41a1ac5: feat: option to specify HTML escaping for JSON format (#72) (@kzantow)

Fixes

• 08953d1: fix: gitpod.yml refers to wrong Dockerfile (@nscuro)
• 97c1e5a: fix: license header in Dockerfile.gitpod (@nscuro)

Building and Packaging

• b904cab: build(deps): bump actions/checkout from 3.0.2 to 3.1.0 (@dependabot[bot])
• 66aa7d3: build(deps): bump actions/checkout from 3.1.0 to 3.2.0 (@dependabot[bot])
• 5a0b406: build(deps): bump actions/checkout from 3.2.0 to 3.3.0 (@dependabot[bot])
• 8c73864: build(deps): bump actions/checkout from 3.3.0 to 3.4.0 (@dependabot[bot])
• 6dc0ac5: build(deps): bump actions/checkout from 3.4.0 to 3.5.0 (@dependabot[bot])
• 393b665: build(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (@dependabot[bot])
• dace5ef: build(deps): bump actions/setup-go from 3.3.1 to 3.4.0 (@dependabot[bot])
• a7d5143: build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (@dependabot[bot])
• fd636f7: build(deps): bump actions/setup-go from 3.5.0 to 4.0.0 (@dependabot[bot])
• e3af71d: build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (@dependabot[bot])
• 2fe798d: build(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (@dependabot[bot])
• 6b726a5: build(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (@dependabot[bot])
• f8ad513: build(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 (@dependabot[bot])
• be3d2c3: build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (@dependabot[bot])
• f72e6b7: build(deps): bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (@dependabot[bot])
• 0414aa0: build(deps): bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (@dependabot[bot])
• fb45216: build: pin digest of gitpod image (@nscuro)
• 3f98a11: build: pin github actions to commit digest (@nscuro)

Others

• eaa4df6: Error if invalid json is passed. (@justinabrahms)
• e4fe5c6: ci: enable dependabot for docker ecosystem (@nscuro)
• 05a6bb7: ci: update cyclonedx-cli to 0.24.2 (@nscuro)

v0.7.0

Changelog

Features

• acb9322: feat: add enum for official media types (@nscuro)
• 2826fe2: feat: add support for encoding to older spec versions (#51) (@nscuro)
• 7a2113a: feat: raise baseline go version to 1.17 (#53) (@nscuro)
• 7415143: feat: return error when parsing unknown spec versions (@nscuro)
• 1655b7d: feat: set SpecVersion when decoding from xml (@nscuro)
• f97e04a: feat: update gitpod dockerfile (@nscuro)

Fixes

• ea0d5b7: fix: prevent nesting of Dependency (@nscuro)

Building and Packaging

• f43660c: build(deps): bump actions/setup-go from 3.1.0 to 3.2.0 (@dependabot[bot])
• 2458312: build(deps): bump actions/setup-go from 3.2.0 to 3.2.1 (@dependabot[bot])
• 760fae3: build(deps): bump actions/setup-go from 3.2.1 to 3.3.0 (@dependabot[bot])
• 4dddf51: build(deps): bump apache/skywalking-eyes from 0.3.0 to 0.4.0 (@dependabot[bot])
• 6eb6521: build(deps): bump github.com/bradleyjkemp/cupaloy/v2 from 2.7.0 to 2.8.0 (@dependabot[bot])
• bff00ef: build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (@dependabot[bot])
• fc11b56: build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (@dependabot[bot])
• f521d75: build(deps): bump github.com/stretchr/testify from 1.7.4 to 1.7.5 (@dependabot[bot])
• d5d1ab6: build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (@dependabot[bot])
• b83bbe8: build(deps): bump goreleaser/goreleaser-action from 2 to 3 (@dependabot[bot])

Documentation

• 8f8fadf: docs: fix cyclonedx-go version in compatibility matrix (@nscuro)
• 124f2be: docs: fix typos (@nscuro)

Others

• 5f10aea: refactor: refine spec version conversion to cover more cases (@nscuro)
• 0c2ebff: refactor: separate custom marshalling logic from model (@nscuro)

v0.6.0

Changelog

Features

• 3cc319e: feat: add support for bom links (#33) (@nscuro)

Fixes

• 5f285ff: fix: add missing Properties (#39) (@desenna)

Building and Packaging

• d063798: build(deps): bump actions/checkout from 3.0.0 to 3.0.2 (@dependabot[bot])
• 0b1d408: build(deps): bump actions/setup-go from 3.0.0 to 3.1.0 (@dependabot[bot])
• 47702c4: build(deps): bump apache/skywalking-eyes from 0.2.0 to 0.3.0 (@dependabot[bot])
• 5940b17: build(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (@dependabot[bot])

v0.5.2

Changelog

Fixes

• 0a1487e: fix: edit casing of email (#30) (@jspeed-meyers)
• 644d3e5: fix: encoding of XML chars in tags (@derkoe)

Building and Packaging

• dea6490: build(actions): set permissions and timeouts (@nscuro)
• 22c6201: build(actions): update cyclonedx cli to 0.24.0 (@nscuro)
• 9d0e58e: build(goreleaser): use native sboms feature (@nscuro)

v0.5.1

Changelog

Fixes

• 1fd9caf: fix: make vuln rating score optional (@nscuro)

Building and Packaging

• 1f31d49: build(ci): add setup-go to lint job (@nscuro)
• 018dff2: build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (@dependabot[bot])
• 15708b3: build(deps): bump golangci/golangci-lint-action from 2 to 3.1.0 (@dependabot[bot])
• a2abeb6: build(deps): update actions/checkout to v3.0.0 (@nscuro)
• ba3af87: build(deps): update actions/setup-go to v3.0.0 (@nscuro)

v0.5.0

Changelog

Features

• ae38021: feat: add gitpod configuration (@nscuro)
• 9082cd7: feat: add support for cyclonedx spec v1.4 (#16) (@nscuro)

Building and Packaging

• 1e627f6: build(ci): add license header check (@nscuro)
• c189150: build(deps): bump github.com/bradleyjkemp/cupaloy/v2 from 2.6.0 to 2.7.0 (@dependabot[bot])
• 338f68e: build(goreleaser): tweak changelog generation (@nscuro)
• aa2e423: build: drop support for go 1.14 (#11) (@nscuro)

Documentation

• 4d653db: docs: add linebreak to badge list (@nscuro)
• 9c6424e: docs: add missing license header (@nscuro)
• d40c159: docs: fix link to examples (@nscuro)
• 0562d1e: docs: provide examples in a godoc compliant way (@nscuro)
• c487c28: docs: update supported spec version in readme (@nscuro)

Others

• 82117ac: ci: build against go 1.17 (#7) (@nscuro)
• 28f9dd3: ci: update cyclonedx-gomod to v1 (#8) (@nscuro)
• 429d353: refactor: transfer copyright to owasp (@nscuro)