Releases: CycloneDX/cyclonedx-go
v0.9.2
Changelog
Features
- 39ede21: feat: add MarshalXML and UnmarshalXML (@DmitriyLewen)
- e9191ed: feat: add UnmarshalJSON (@DmitriyLewen)
Fixes
- 80fede1: fix: add json tag for
Identity
(@DmitriyLewen) - 24e9503: fix: tests (@DmitriyLewen)
- d68a199: fix: use
identity
as array invalid-evidence.json
(@DmitriyLewen) - ff9cc28: fix: use componentEvidence array for Evidence.Identity field (@DmitriyLewen)
Building and Packaging
- 016ee29: build(deps): bump actions/checkout from 4.1.7 to 4.2.0 (@dependabot[bot])
- 77153ab: build(deps): bump actions/checkout from 4.2.0 to 4.2.1 (@dependabot[bot])
- 4f50d02: build(deps): bump actions/checkout from 4.2.1 to 4.2.2 (@dependabot[bot])
- b844512: build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (@dependabot[bot])
- 238cbea: build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 (@dependabot[bot])
- bbe8f3c: build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (@dependabot[bot])
- 05f8930: build(deps): bump github.com/terminalstatic/go-xsd-validate (@dependabot[bot])
- 082f877: build(deps): bump gitpod/workspace-go from
2a9e01c
to9c95281
(@dependabot[bot]) - 093b1c1: build(deps): bump gitpod/workspace-go from
9c95281
to6932342
(@dependabot[bot]) - 47b7e01: build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 (@dependabot[bot])
- ce6eb84: build(deps): bump goreleaser/goreleaser-action from 6.0.0 to 6.1.0 (@dependabot[bot])
Others
- 4d3aff9: UPDATE_SNAPSHOTS=true make test (@DmitriyLewen)
- 31d9544: refactor (@DmitriyLewen)
- 0170729: refactor: update convert package (@DmitriyLewen)
v0.9.1
Changelog
Fixes
- 6f0e0cf: fix:
nil
pointer dereference during evidence conversion (@nscuro) - ce43b6f: fix: make linter happy (@nscuro)
- 5d799e6: fix: remove deprecated goreleaser flag (@nscuro)
Building and Packaging
- 6d5bcb0: build(deps): bump actions/checkout from 4.1.6 to 4.1.7 (@dependabot[bot])
- f34fc0c: build(deps): bump actions/setup-go from 5.0.1 to 5.0.2 (@dependabot[bot])
- 71cff22: build(deps): bump gitpod/workspace-go from
8d15123
to2a9e01c
(@dependabot[bot]) - ea69355: build(deps): bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 (@dependabot[bot])
- d5cbdad: build(deps): bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (@dependabot[bot])
v0.9.0
Changelog
Features
- 729c284: feat: Add CycloneDX 1.6 fields swhid and omniborId (@snyk-tim)
- b5d3595: feat: add manufacturer and authors (@snyk-tim)
- c52e698: feat: raise baseline go version to 1.20 (@nscuro)
Fixes
- 9166e10: fix:
ioutil
->io
(@nscuro) - 349fc8c: fix: add bom-ref to OrganizationalEntity/Contact (@snyk-tim)
- c97da90: fix: handle breaking changes in skywalking-eyes (@nscuro)
Building and Packaging
- ec6291e: build(deps): bump actions/checkout from 4.1.1 to 4.1.5 (@dependabot[bot])
- 899fe39: build(deps): bump actions/checkout from 4.1.5 to 4.1.6 (@dependabot[bot])
- 8674ed5: build(deps): bump actions/setup-go from 5.0.0 to 5.0.1 (@dependabot[bot])
- db3a114: build(deps): bump apache/skywalking-eyes from 0.4.0 to 0.6.0 (@dependabot[bot])
- a3bd055: build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (@dependabot[bot])
- 1179dd9: build(deps): bump gitpod/workspace-go from
8b9a0f6
to8d15123
(@dependabot[bot]) - d98494e: build(deps): bump gitpod/workspace-go from
9118b93
to8b9a0f6
(@dependabot[bot]) - 1e2a3a0: build(deps): bump gitpod/workspace-go from
94ae638
to9118b93
(@dependabot[bot]) - d4d6e35: build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (@dependabot[bot])
- 521d1ce: build(deps): bump golangci/golangci-lint-action from 4.0.0 to 6.0.1 (@dependabot[bot])
- f1ebafe: build(deps): bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 (@dependabot[bot])
Others
- 16d2143: Fix(1.6): Added missing omitempty in NistQuantumSecurityLevel (@Petzys)
- ffec473: chore: add license header (@mcombuechen)
- 1f8fdcc: feat(1.6): add BOM.Declarations (@mcombuechen)
- 62b5342: feat(1.6): add BOM.Definitions (@mcombuechen)
- c33b9cb: feat(1.6): add CBOM types (@Petzys)
- 10e10c8: feat(1.6): add JSON schema, XML namespace (@mcombuechen)
- 2dc599a: feat(1.6): add License.Acknowledgement (@mcombuechen)
- 7a32fde: feat(1.6): add PostalAddress type (@mcombuechen)
- b8e4529: feat(1.6): add SpecVersion for v1.6 (@mcombuechen)
- c877828: feat(1.6): add environmentalConsiderations (@mcombuechen)
- e0e9c67: feat(1.6): add schema definitions for CycloneDX 1.6 (@mcombuechen)
- b1636c2: feat(1.6): extend EvidenceOccurrence (@mcombuechen)
- b4b3b94: fix(1.6): convert occurrences of OrganizationalEntity (@mcombuechen)
- 9332ca6: fix(1.6): fix json, xml labels on BOM.Definitions (@mcombuechen)
v0.8.0
This release ships with almost complete support for v1.5 of the CycloneDX specification.
The only exception being the extended data flow support, as used in SaaS BOMs.
Unfortunately, there are also breaking changes in this release:
- The type of
Metadata.Tools
has changed from*[]Tool
to*ToolsChoice
, to facilitate the deprecation ofTool
in the specToolsChoice
holds both legacy*[]Tool
, as well as the new*[]Component
and*[]Service
fields- The
Tool
type, as well as theToolsChoice.Tools
field are marked as deprecated - During encoding and decoding, it is asserted that only one of both options can be present, in accordance with the "One of" constraint of the spec
- When encoding to lower spec versions than v1.5 (using
EncodeVersion
),Component
s andService
s are automatically converted to legacyTool
s - It is strongly recommended to use
Component
s andService
s. However, when consuming BOMs, applications should still expect legacyTool
s to be present, and handle them accordingly.
Changelog
Fixes
Building and Packaging
- 696aa66: build(deps): bump actions/checkout from 3.5.3 to 4.1.0 (@dependabot[bot])
- b50b319: build(deps): bump actions/checkout from 4.1.0 to 4.1.1 (@dependabot[bot])
- 5cad1b0: build(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (@dependabot[bot])
- b091061: build(deps): bump gitpod/workspace-go from
d3603c7
to94ae638
(@dependabot[bot]) - 9e310b6: build(deps): bump gitpod/workspace-go from
f37c673
tod3603c7
(@dependabot[bot]) - 89494fd: build(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 (@dependabot[bot])
Others
- 61dd91e: feat(spec1-5): add support for machine learning (@nscuro)
- f831960: feat(spec1-5): update
valid-vulnerability
test snapshots (@nscuro) - ffc9a4e: ci: enable more linters (@mmorel-35)
- 3feda75: feat(spec1-5): add additional external reference types (@nscuro)
- bd66a36: feat(spec1-5): add support for
CVSSv4
scoring method (@nscuro) - d597bb9: feat(spec1-5): add support for
firstIssued
andlastUpdated
in vuln analysis (@nscuro) - 2ae5445: feat(spec1-5): add support for additional compositions and composition identity (@nscuro)
- f856daa: feat(spec1-5): add support for formulation (@nscuro)
- 2fbde0e: feat(spec1-5): add support for identity, occurrences, and callstack evidence (@nscuro)
- 745a35a: feat(spec1-5): add support for licensing (@nscuro)
- b02255f: feat(spec1-5): add support for lifecycles (@nscuro)
- fe3a904: feat(spec1-5): add support for ssvc scoring method (@nscuro)
- 7d2713f: feat(spec1-5): add support for vulnerability proof of concept (@nscuro)
- 25b250a: feat(spec1-5): add support for vulnerability rejected timestamps (@nscuro)
- c7a84ac: feat(spec1-5): handle deprecation of tools (@nscuro)
v0.7.2
This is a bugfix release that ships with minimal support for the CycloneDX v1.5 specification.
Full support is being worked on and planned to be released soon. The progress may be tracked in #90.
The reason for publishing partial support like this is to allow the consumption of v1.5 BOMs, which fails with cyclonedx-go
<= v0.7.1.
Warning
The defaultSpecVersion
has been updated toSpecVersion1_5
. If your application generates BOMs, and you're not ready (or willing) to distribute BOMs following the v1.5 specification yet, consider usingEncodeVersion
to generate output for an older version of the spec.
Changelog
Features
Fixes
- ff719b6: fix: unmarshal bom on v1.5 return invalid specification version (@chen-keinan)
Building and Packaging
- 966c223: build(deps): bump CycloneDX/gh-gomod-generate-sbom from 1.1.0 to 2.0.0 (@dependabot[bot])
- 1e83e85: build(deps): bump actions/checkout from 3.5.0 to 3.5.1 (@dependabot[bot])
- 78f6593: build(deps): bump actions/checkout from 3.5.1 to 3.5.2 (@dependabot[bot])
- 868f6db: build(deps): bump actions/checkout from 3.5.2 to 3.5.3 (@dependabot[bot])
- 5885827: build(deps): bump actions/setup-go from 4.0.0 to 4.0.1 (@dependabot[bot])
- d772b54: build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 (@dependabot[bot])
- 578e862: build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (@dependabot[bot])
- f83e6a7: build(deps): bump gitpod/workspace-go from
2be827f
to910daeb
(@dependabot[bot]) - cd7b23a: build(deps): bump gitpod/workspace-go from
910daeb
tod7a41f5
(@dependabot[bot]) - 668553d: build(deps): bump gitpod/workspace-go from
d7a41f5
tof37c673
(@dependabot[bot]) - d9a5f8c: build(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (@dependabot[bot])
- 66f96df: build(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (@dependabot[bot])
- 8b51c39: build(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (@dependabot[bot])
- e44f7de: build(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (@dependabot[bot])
- 6360fe1: build(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (@dependabot[bot])
Others
- a069906: feat(spec1-5): add initial support for spec v1.5 (@nscuro)
- 67a7567: feat(spec1-5): add licensing, license properties, and license bom-ref (@nscuro)
- d2f3bb9: feat(spec1-5): add lifecycle support (@nscuro)
- eb041b5: feat(spec1-5): add new component types (@nscuro)
- c45ba61: feat(spec1-5): add new external reference types (@nscuro)
- d84947d: feat(spec1-5): add support for annotations (@nscuro)
- 0ba0496: feat(spec1-5): bump schema to 1.5 for round-trip tests (@nscuro)
- 4e20914: misc(dx): add project icon for intellij and goland (@nscuro)
v0.7.1
Changelog
Features
- a1db675: feat: add JSON Schema to JSON output (#79) (@mcombuechen)
- 41a1ac5: feat: option to specify HTML escaping for JSON format (#72) (@kzantow)
Fixes
- 08953d1: fix:
gitpod.yml
refers to wrongDockerfile
(@nscuro) - 97c1e5a: fix: license header in
Dockerfile.gitpod
(@nscuro)
Building and Packaging
- b904cab: build(deps): bump actions/checkout from 3.0.2 to 3.1.0 (@dependabot[bot])
- 66aa7d3: build(deps): bump actions/checkout from 3.1.0 to 3.2.0 (@dependabot[bot])
- 5a0b406: build(deps): bump actions/checkout from 3.2.0 to 3.3.0 (@dependabot[bot])
- 8c73864: build(deps): bump actions/checkout from 3.3.0 to 3.4.0 (@dependabot[bot])
- 6dc0ac5: build(deps): bump actions/checkout from 3.4.0 to 3.5.0 (@dependabot[bot])
- 393b665: build(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (@dependabot[bot])
- dace5ef: build(deps): bump actions/setup-go from 3.3.1 to 3.4.0 (@dependabot[bot])
- a7d5143: build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (@dependabot[bot])
- fd636f7: build(deps): bump actions/setup-go from 3.5.0 to 4.0.0 (@dependabot[bot])
- e3af71d: build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (@dependabot[bot])
- 2fe798d: build(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (@dependabot[bot])
- 6b726a5: build(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (@dependabot[bot])
- f8ad513: build(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 (@dependabot[bot])
- be3d2c3: build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (@dependabot[bot])
- f72e6b7: build(deps): bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (@dependabot[bot])
- 0414aa0: build(deps): bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (@dependabot[bot])
- fb45216: build: pin digest of gitpod image (@nscuro)
- 3f98a11: build: pin github actions to commit digest (@nscuro)
Others
v0.7.0
Changelog
Features
- acb9322: feat: add enum for official media types (@nscuro)
- 2826fe2: feat: add support for encoding to older spec versions (#51) (@nscuro)
- 7a2113a: feat: raise baseline go version to 1.17 (#53) (@nscuro)
- 7415143: feat: return error when parsing unknown spec versions (@nscuro)
- 1655b7d: feat: set
SpecVersion
when decoding from xml (@nscuro) - f97e04a: feat: update gitpod dockerfile (@nscuro)
Fixes
Building and Packaging
- f43660c: build(deps): bump actions/setup-go from 3.1.0 to 3.2.0 (@dependabot[bot])
- 2458312: build(deps): bump actions/setup-go from 3.2.0 to 3.2.1 (@dependabot[bot])
- 760fae3: build(deps): bump actions/setup-go from 3.2.1 to 3.3.0 (@dependabot[bot])
- 4dddf51: build(deps): bump apache/skywalking-eyes from 0.3.0 to 0.4.0 (@dependabot[bot])
- 6eb6521: build(deps): bump github.com/bradleyjkemp/cupaloy/v2 from 2.7.0 to 2.8.0 (@dependabot[bot])
- bff00ef: build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (@dependabot[bot])
- fc11b56: build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (@dependabot[bot])
- f521d75: build(deps): bump github.com/stretchr/testify from 1.7.4 to 1.7.5 (@dependabot[bot])
- d5d1ab6: build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (@dependabot[bot])
- b83bbe8: build(deps): bump goreleaser/goreleaser-action from 2 to 3 (@dependabot[bot])
Documentation
- 8f8fadf: docs: fix cyclonedx-go version in compatibility matrix (@nscuro)
- 124f2be: docs: fix typos (@nscuro)
Others
v0.6.0
Changelog
Features
Fixes
Building and Packaging
- d063798: build(deps): bump actions/checkout from 3.0.0 to 3.0.2 (@dependabot[bot])
- 0b1d408: build(deps): bump actions/setup-go from 3.0.0 to 3.1.0 (@dependabot[bot])
- 47702c4: build(deps): bump apache/skywalking-eyes from 0.2.0 to 0.3.0 (@dependabot[bot])
- 5940b17: build(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (@dependabot[bot])
v0.5.2
Changelog
Fixes
- 0a1487e: fix: edit casing of email (#30) (@jspeed-meyers)
- 644d3e5: fix: encoding of XML chars in tags (@derkoe)
Building and Packaging
v0.5.1
Changelog
Fixes
Building and Packaging
- 1f31d49: build(ci): add setup-go to lint job (@nscuro)
- 018dff2: build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (@dependabot[bot])
- 15708b3: build(deps): bump golangci/golangci-lint-action from 2 to 3.1.0 (@dependabot[bot])
- a2abeb6: build(deps): update
actions/checkout
to v3.0.0 (@nscuro) - ba3af87: build(deps): update
actions/setup-go
to v3.0.0 (@nscuro)