Releases: CycloneDX/cyclonedx-go
Releases · CycloneDX/cyclonedx-go
v0.8.0
This release ships with almost complete support for v1.5 of the CycloneDX specification.
The only exception being the extended data flow support, as used in SaaS BOMs.
Unfortunately, there are also breaking changes in this release:
- The type of
Metadata.Toolshas changed from*[]Toolto*ToolsChoice, to facilitate the deprecation ofToolin the specToolsChoiceholds both legacy*[]Tool, as well as the new*[]Componentand*[]Servicefields- The
Tooltype, as well as theToolsChoice.Toolsfield are marked as deprecated - During encoding and decoding, it is asserted that only one of both options can be present, in accordance with the "One of" constraint of the spec
- When encoding to lower spec versions than v1.5 (using
EncodeVersion),Components andServices are automatically converted to legacyTools - It is strongly recommended to use
Components andServices. However, when consuming BOMs, applications should still expect legacyTools to be present, and handle them accordingly.
Changelog
Fixes
Building and Packaging
- 696aa66: build(deps): bump actions/checkout from 3.5.3 to 4.1.0 (@dependabot[bot])
- b50b319: build(deps): bump actions/checkout from 4.1.0 to 4.1.1 (@dependabot[bot])
- 5cad1b0: build(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (@dependabot[bot])
- b091061: build(deps): bump gitpod/workspace-go from
d3603c7to94ae638(@dependabot[bot]) - 9e310b6: build(deps): bump gitpod/workspace-go from
f37c673tod3603c7(@dependabot[bot]) - 89494fd: build(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 (@dependabot[bot])
Others
- 61dd91e: feat(spec1-5): add support for machine learning (@nscuro)
- f831960: feat(spec1-5): update
valid-vulnerabilitytest snapshots (@nscuro) - ffc9a4e: ci: enable more linters (@mmorel-35)
- 3feda75: feat(spec1-5): add additional external reference types (@nscuro)
- bd66a36: feat(spec1-5): add support for
CVSSv4scoring method (@nscuro) - d597bb9: feat(spec1-5): add support for
firstIssuedandlastUpdatedin vuln analysis (@nscuro) - 2ae5445: feat(spec1-5): add support for additional compositions and composition identity (@nscuro)
- f856daa: feat(spec1-5): add support for formulation (@nscuro)
- 2fbde0e: feat(spec1-5): add support for identity, occurrences, and callstack evidence (@nscuro)
- 745a35a: feat(spec1-5): add support for licensing (@nscuro)
- b02255f: feat(spec1-5): add support for lifecycles (@nscuro)
- fe3a904: feat(spec1-5): add support for ssvc scoring method (@nscuro)
- 7d2713f: feat(spec1-5): add support for vulnerability proof of concept (@nscuro)
- 25b250a: feat(spec1-5): add support for vulnerability rejected timestamps (@nscuro)
- c7a84ac: feat(spec1-5): handle deprecation of tools (@nscuro)
Contributors
nscuro, mmorel-35, and dependabot
Assets 5
v0.7.2
This is a bugfix release that ships with minimal support for the CycloneDX v1.5 specification.
Full support is being worked on and planned to be released soon. The progress may be tracked in #90.
The reason for publishing partial support like this is to allow the consumption of v1.5 BOMs, which fails with cyclonedx-go <= v0.7.1.
Warning
The defaultSpecVersionhas been updated toSpecVersion1_5. If your application generates BOMs, and you're not ready (or willing) to distribute BOMs following the v1.5 specification yet, consider usingEncodeVersionto generate output for an older version of the spec.
Changelog
Features
Fixes
- ff719b6: fix: unmarshal bom on v1.5 return invalid specification version (@chen-keinan)
Building and Packaging
- 966c223: build(deps): bump CycloneDX/gh-gomod-generate-sbom from 1.1.0 to 2.0.0 (@dependabot[bot])
- 1e83e85: build(deps): bump actions/checkout from 3.5.0 to 3.5.1 (@dependabot[bot])
- 78f6593: build(deps): bump actions/checkout from 3.5.1 to 3.5.2 (@dependabot[bot])
- 868f6db: build(deps): bump actions/checkout from 3.5.2 to 3.5.3 (@dependabot[bot])
- 5885827: build(deps): bump actions/setup-go from 4.0.0 to 4.0.1 (@dependabot[bot])
- d772b54: build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 (@dependabot[bot])
- 578e862: build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (@dependabot[bot])
- f83e6a7: build(deps): bump gitpod/workspace-go from
2be827fto910daeb(@dependabot[bot]) - cd7b23a: build(deps): bump gitpod/workspace-go from
910daebtod7a41f5(@dependabot[bot]) - 668553d: build(deps): bump gitpod/workspace-go from
d7a41f5tof37c673(@dependabot[bot]) - d9a5f8c: build(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (@dependabot[bot])
- 66f96df: build(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (@dependabot[bot])
- 8b51c39: build(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (@dependabot[bot])
- e44f7de: build(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (@dependabot[bot])
- 6360fe1: build(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (@dependabot[bot])
Others
- a069906: feat(spec1-5): add initial support for spec v1.5 (@nscuro)
- 67a7567: feat(spec1-5): add licensing, license properties, and license bom-ref (@nscuro)
- d2f3bb9: feat(spec1-5): add lifecycle support (@nscuro)
- eb041b5: feat(spec1-5): add new component types (@nscuro)
- c45ba61: feat(spec1-5): add new external reference types (@nscuro)
- d84947d: feat(spec1-5): add support for annotations (@nscuro)
- 0ba0496: feat(spec1-5): bump schema to 1.5 for round-trip tests (@nscuro)
- 4e20914: misc(dx): add project icon for intellij and goland (@nscuro)
Contributors
nscuro, chen-keinan, and dependabot
Assets 5
v0.7.1
Changelog
Features
- a1db675: feat: add JSON Schema to JSON output (#79) (@mcombuechen)
- 41a1ac5: feat: option to specify HTML escaping for JSON format (#72) (@kzantow)
Fixes
- 08953d1: fix:
gitpod.ymlrefers to wrongDockerfile(@nscuro) - 97c1e5a: fix: license header in
Dockerfile.gitpod(@nscuro)
Building and Packaging
- b904cab: build(deps): bump actions/checkout from 3.0.2 to 3.1.0 (@dependabot[bot])
- 66aa7d3: build(deps): bump actions/checkout from 3.1.0 to 3.2.0 (@dependabot[bot])
- 5a0b406: build(deps): bump actions/checkout from 3.2.0 to 3.3.0 (@dependabot[bot])
- 8c73864: build(deps): bump actions/checkout from 3.3.0 to 3.4.0 (@dependabot[bot])
- 6dc0ac5: build(deps): bump actions/checkout from 3.4.0 to 3.5.0 (@dependabot[bot])
- 393b665: build(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (@dependabot[bot])
- dace5ef: build(deps): bump actions/setup-go from 3.3.1 to 3.4.0 (@dependabot[bot])
- a7d5143: build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (@dependabot[bot])
- fd636f7: build(deps): bump actions/setup-go from 3.5.0 to 4.0.0 (@dependabot[bot])
- e3af71d: build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (@dependabot[bot])
- 2fe798d: build(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (@dependabot[bot])
- 6b726a5: build(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (@dependabot[bot])
- f8ad513: build(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 (@dependabot[bot])
- be3d2c3: build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (@dependabot[bot])
- f72e6b7: build(deps): bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (@dependabot[bot])
- 0414aa0: build(deps): bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (@dependabot[bot])
- fb45216: build: pin digest of gitpod image (@nscuro)
- 3f98a11: build: pin github actions to commit digest (@nscuro)
Others
Contributors
justinabrahms, mcombuechen, and 3 other contributors
Assets 5
v0.7.0
Changelog
Features
- acb9322: feat: add enum for official media types (@nscuro)
- 2826fe2: feat: add support for encoding to older spec versions (#51) (@nscuro)
- 7a2113a: feat: raise baseline go version to 1.17 (#53) (@nscuro)
- 7415143: feat: return error when parsing unknown spec versions (@nscuro)
- 1655b7d: feat: set
SpecVersionwhen decoding from xml (@nscuro) - f97e04a: feat: update gitpod dockerfile (@nscuro)
Fixes
Building and Packaging
- f43660c: build(deps): bump actions/setup-go from 3.1.0 to 3.2.0 (@dependabot[bot])
- 2458312: build(deps): bump actions/setup-go from 3.2.0 to 3.2.1 (@dependabot[bot])
- 760fae3: build(deps): bump actions/setup-go from 3.2.1 to 3.3.0 (@dependabot[bot])
- 4dddf51: build(deps): bump apache/skywalking-eyes from 0.3.0 to 0.4.0 (@dependabot[bot])
- 6eb6521: build(deps): bump github.com/bradleyjkemp/cupaloy/v2 from 2.7.0 to 2.8.0 (@dependabot[bot])
- bff00ef: build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (@dependabot[bot])
- fc11b56: build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (@dependabot[bot])
- f521d75: build(deps): bump github.com/stretchr/testify from 1.7.4 to 1.7.5 (@dependabot[bot])
- d5d1ab6: build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (@dependabot[bot])
- b83bbe8: build(deps): bump goreleaser/goreleaser-action from 2 to 3 (@dependabot[bot])
Documentation
- 8f8fadf: docs: fix cyclonedx-go version in compatibility matrix (@nscuro)
- 124f2be: docs: fix typos (@nscuro)
Others
Contributors
nscuro and dependabot
Assets 5
v0.6.0
Changelog
Features
Fixes
Building and Packaging
- d063798: build(deps): bump actions/checkout from 3.0.0 to 3.0.2 (@dependabot[bot])
- 0b1d408: build(deps): bump actions/setup-go from 3.0.0 to 3.1.0 (@dependabot[bot])
- 47702c4: build(deps): bump apache/skywalking-eyes from 0.2.0 to 0.3.0 (@dependabot[bot])
- 5940b17: build(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (@dependabot[bot])
Contributors
desenna, nscuro, and dependabot
Assets 5
v0.5.2
Changelog
Fixes
- 0a1487e: fix: edit casing of email (#30) (@jspeed-meyers)
- 644d3e5: fix: encoding of XML chars in tags (@derkoe)
Building and Packaging
Contributors
derkoe, nscuro, and jspeed-meyers
Assets 5
v0.5.1
Changelog
Fixes
Building and Packaging
- 1f31d49: build(ci): add setup-go to lint job (@nscuro)
- 018dff2: build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (@dependabot[bot])
- 15708b3: build(deps): bump golangci/golangci-lint-action from 2 to 3.1.0 (@dependabot[bot])
- a2abeb6: build(deps): update
actions/checkoutto v3.0.0 (@nscuro) - ba3af87: build(deps): update
actions/setup-goto v3.0.0 (@nscuro)
Contributors
nscuro and dependabot
Assets 3
v0.5.0
Changelog
Features
- ae38021: feat: add gitpod configuration (@nscuro)
- 9082cd7: feat: add support for cyclonedx spec v1.4 (#16) (@nscuro)
Building and Packaging
- 1e627f6: build(ci): add license header check (@nscuro)
- c189150: build(deps): bump github.com/bradleyjkemp/cupaloy/v2 from 2.6.0 to 2.7.0 (@dependabot[bot])
- 338f68e: build(goreleaser): tweak changelog generation (@nscuro)
- aa2e423: build: drop support for go 1.14 (#11) (@nscuro)
Documentation
- 4d653db: docs: add linebreak to badge list (@nscuro)
- 9c6424e: docs: add missing license header (@nscuro)
- d40c159: docs: fix link to examples (@nscuro)
- 0562d1e: docs: provide examples in a godoc compliant way (@nscuro)
- c487c28: docs: update supported spec version in readme (@nscuro)
Others
Contributors
nscuro and dependabot
Assets 3
v0.4.0
This release brings support for v1.3 of the CycloneDX specification. 🥳
See the compatibility section of the README for details.
Changelog
2b67c89 Merge pull request #6 from CycloneDX/update-gh-action
60c4541 ci: add github-actions ecosystem to dependabot.yml
6257a1b ci: update gh action
30e751f feat: add support for spec version 1.3 (#4)
v0.3.0
Changelog
This release fixes an issue that prevented license expressions being properly decoded from XML.
⚠ BREAKING CHANGE ⚠
The type of Component.Licenses and Service.Licenses has changed from *[]LicenseChoice to *Licenses.
a20be9f Merge pull request #5 from CycloneDX/fix-license-expression-unmarshalling
301ae58 ci: always use latest cyclonedx-gomod version
c1fdab5 ci: enable more linters
39ec200 ci: include golangci-lint in workflow
f7ee97f fix: license expression unmarshalling for XML
42e12f9 fix: missing error handling when marshalling LicenseChoice to XML