Skip to content

Commit

Permalink
feat!: rewrite CLI and parsers (#610)
Browse files Browse the repository at this point in the history 
- BC: removed support for python < 3.8
- BC: removed deprecated shell script `cyclonedx-bom`
- BC: removed conda support. However, conda's Python environments are fully supported.
- BC: removed public API. You may use the CLI instead.
- complete redesign of the CLI:
  - uses sub-commands for easy accessibility
  - Easy understandable flags, switches and options -- in accordance with the domain
  - Updated help pages, including examples 
- Complete rewrite from scratch
- Dozens of new features and fixes
  - New environment analyzer supports any Python (virtual) environment
  - Poetry analyzer support groups, filtering and such
  - Pipenv analyzer support categories, filtering and such
  - More details in the SBOM results
  - PackageURLs may have more qualifiers
  - component properties according to 
    - <https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/python.md> 
    - <https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/pipenv.md>
    - <https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/poetry.md>
  - SBOM results may be validated
  - SBOM results may have dependency graph populated
  - SBOM results may have root-component populated
  - Fixed possible issues with input data encoding
  - May omit dev-dependencies or domain-specific groups/categories
  - Support CycloneDX 1.5

---------

Signed-off-by: Jan Kowalleck <[email protected]>
  • Loading branch information
@jkowalleck
jkowalleck authored Dec 25, 2023
1 parent f280511 commit ebb12ba
Show file tree
Hide file tree
Showing 875 changed files with 139,528 additions and 4,848 deletions.
3 changes: 3 additions & 0 deletions .envrc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# https://pipenv.pypa.io/en/latest/configuration.html
export PIPENV_IGNORE_VIRTUALENVS=1

2 changes: 1 addition & 1 deletion .flake8
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ exclude =

max-line-length = 120

#max-complexity = 10
max-complexity = 15

ignore =
# ignore `self`, `cls` markers of flake8-annotations>=2.0
Expand Down
4 changes: 2 additions & 2 deletions .github/ISSUE_TEMPLATE/ValidationError-report.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,14 @@ assignees: ''
Steps to reproduce the behavior:

1. How was _cyclonedx-py_ called?
<!-- e.g. `cyclonedx-py --omit=dev ...` -->
<!-- e.g. `cyclonedx-py requirements ...` -->
2. What kind of evidence was processed?
<!-- upload a complete project or set of other evidences to this issue, or a pastebin of you choice and put the link here. -->
3. Error report:
<!-- upload the complete output to this issue, or a pastebin of you choice and put the link here. -->
4. Expected result:
<!-- run the original call again
with parameters `--no-validate -o -`,
with parameters `--no-validate -vvv -o -`,
then upload the output this issue, or to a pastebin of you choice and put the link here. -->

## Environment
Expand Down
25 changes: 6 additions & 19 deletions .github/workflows/docker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,33 +32,27 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: setup reports-dir
run: mkdir "$REPORTS_DIR"

- name: Setup python ${{ env.PYTHON_VERSION }}
# see https://github.com/actions/setup-python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
architecture: 'x64'

- name: Setup poetry ${{ env.POETRY_VERSION }}
# see https://github.com/marketplace/actions/setup-poetry
uses: Gr1N/setup-poetry@v8
with:
poetry-version: ${{ env.POETRY_VERSION }}

- name: bump version
id: bump-version
run: |
VERSION="${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}+testing"
poetry version "$VERSION"
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Poetry build
run: poetry build

- name: Artifact python dist
if: |
!failure() && !cancelled() &&
Expand All @@ -69,7 +63,6 @@ jobs:
name: ${{ env.RUN_ARTIFACT_PYTHON_DIST }}
path: ${{ env.DIST_SOURCE_DIR }}/
if-no-files-found: warn

- name: Build Docker image
env:
VERSION: ${{ steps.bump-version.outputs.version }}
Expand All @@ -78,25 +71,20 @@ jobs:
--build-arg "VERSION=$VERSION"
-t "$DOCKER_TAG"
.
- name: Build own SBoM (XML)
run: >
docker run --rm "$DOCKER_TAG"
-X
--environment
--format=xml
--output=-
environment
-vvv
--output-format XML
> "$REPORTS_DIR/docker-image.bom.xml"
- name: Build own SBoM (JSON)
run: >
docker run --rm "$DOCKER_TAG"
-X
--environment
--format=json
--output=-
environment
-vvv
--output-format JSON
> "$REPORTS_DIR/docker-image.bom.json"
- name: Artifact reports
if: ${{ ! cancelled() }}
# see https://github.com/actions/upload-artifact
Expand All @@ -105,7 +93,6 @@ jobs:
name: ${{ env.REPORTS_ARTIFACT }}
path: ${{ env.REPORTS_DIR }}
if-no-files-found: error

- name: Destroy Docker image
# run regardless of outcome
if: ${{ always() }}
Expand Down
65 changes: 41 additions & 24 deletions .github/workflows/python.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ env:
POETRY_VERSION: "1.4.1"
REPORTS_DIR: CI_reports
TESTS_REPORTS_ARTIFACT: tests-reports
PIPENV_VENV_IN_PROJECT: 1

jobs:
coding-standards:
Expand Down Expand Up @@ -63,21 +64,19 @@ jobs:
run: poetry run tox r -e flake8 -s false

static-code-analysis:
name: Static Coding Analysis (py${{ matrix.python-version}} ${{ matrix.toxenv-factor }})
name: StaticCodingAnalysis (py${{ matrix.python-version}} ${{ matrix.toxenv-factors }})
runs-on: ${{ matrix.os }}
timeout-minutes: 10
strategy:
fail-fast: false
matrix:
include:
- # test with the locked dependencies
python-version: '3.11'
toxenv-factor: 'locked'
- python-version: '3.12'
os: ubuntu-latest
- # test with the lowest dependencies
python-version: '3.8'
toxenv-factor: 'lowest'
toxenv-factors: '-current'
- python-version: '3.8'
os: ubuntu-latest
toxenv-factors: '-lowest'
steps:
- name: Checkout
# see https://github.com/actions/checkout
Expand All @@ -96,7 +95,7 @@ jobs:
- name: Install dependencies
run: poetry install --no-root
- name: Run tox
run: poetry run tox r -e mypy-${{ matrix.toxenv-factor }} -s false
run: poetry run tox r -e mypy${{ matrix.toxenv-factors }} -s false

security-issues:
name: find Security Issues
Expand All @@ -122,8 +121,37 @@ jobs:
- name: Run tox
run: poetry run tox run -e bandit -s false

install-and-run:
name: install & run "${{matrix.command}}" (${{matrix.os}})
runs-on: ${{ matrix.os }}
timeout-minutes: 10
strategy:
fail-fast: false
matrix:
command:
- cyclonedx-py --help
- python -m cyclonedx_py --help
os:
- ubuntu-latest
- macos-latest
- windows-latest
steps:
- name: Checkout
# see https://github.com/actions/checkout
uses: actions/checkout@v4
- name: Setup Python Environment
# see https://github.com/actions/setup-python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
architecture: 'x64'
- name: Install self
run: pip install .
- name: run command
run: ${{matrix.command}}

build-and-test:
name: Test (${{ matrix.os }} py${{ matrix.python-version }} ${{ matrix.toxenv-factor }})
name: Test (${{ matrix.os }} py${{ matrix.python-version }})
runs-on: ${{ matrix.os }}
timeout-minutes: 10
strategy:
Expand All @@ -134,22 +162,11 @@ jobs:
- macos-latest
- windows-latest
python-version:
- "3.11" # highest supported
- "3.12" # highest supported
- "3.11"
- "3.10"
- "3.9"
- "3.8" # lowest supported -- handled in include
toxenv-factor: ['locked']
include:
# test with the lowest dependencies
- os: ubuntu-latest
python-version: '3.8'
toxenv-factor: 'lowest'
- os: macos-latest
python-version: '3.8'
toxenv-factor: 'lowest'
- os: windows-latest
python-version: '3.8'
toxenv-factor: 'lowest'
steps:
- name: Checkout
# see https://github.com/actions/checkout
Expand All @@ -172,14 +189,14 @@ jobs:
- name: Ensure build successful
run: poetry build
- name: Run tox
run: poetry run tox r -e py-${{ matrix.toxenv-factor }} -s false
run: poetry run tox r -e py -s false
- name: Generate coverage reports
if: ${{ failure() || success() }}
shell: bash
run: |
set -eux
poetry run coverage report -m
poetry run coverage xml -o '${{ env.REPORTS_DIR }}/coverage/${{ matrix.os }}_${{ matrix.python-version }}_${{ matrix.toxenv-factor }}.cobertura.xml'
poetry run coverage xml -o '${{ env.REPORTS_DIR }}/coverage/${{ matrix.os }}_${{ matrix.python-version }}.cobertura.xml'
- name: Artifact reports
if: ${{ ! cancelled() }}
# see https://github.com/actions/upload-artifact
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,16 +150,16 @@ jobs:
- name: Build own SBoM (XML)
run: >
docker run --rm "$DOCKER_REPO:$VERSION"
--environment
--format=xml
--output=-
environment
-vvv
--output-format XML
> "$REPORTS_DIR/$ARTIFACT_DOCKER_SBOM.bom.xml"
- name: Build own SBoM (JSON)
run: >
docker run --rm "$DOCKER_REPO:$VERSION"
--environment
--format=json
--output=-
environment
-vvv
--output-format JSON
> "$REPORTS_DIR/$ARTIFACT_DOCKER_SBOM.bom.json"
- name: Artifact reports
if: ${{ ! cancelled() }}
Expand Down
Loading

0 comments on commit ebb12ba

Please sign in to comment.