Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change default spec version to latest #1173

Open
XSpielinbox opened this issue Apr 21, 2024 · 1 comment
Open

Change default spec version to latest #1173

XSpielinbox opened this issue Apr 21, 2024 · 1 comment
Labels
breaking-change breacking change. causes a new major version.

Comments

@XSpielinbox
Copy link
Contributor

Is your feature request related to a problem? Please describe.

I'm always frustrated when I have to manually look up the newest version of the CycloneDX spec and specify it manually via the cli. Newer versions of the spec bring improvements and defaulting to old versions hinders adoption.

Describe the solution you'd like

It would be very nice, if the newest supported version would be the default, then one doesn't have to specify a spec version and nevertheless can use the latest and greatest version of CycloneDX.

Describe alternatives you've considered

Adopt a clear guideline on when to change the default to a new version, when not changing it directly, but rather e.g. 1 week/month/year after release of the new spec version.

Additional context

Version 1.4 (the current default) has been released on 12 January 2022, so it is over a two years old now and is the default for at least 1.5 years now.

Version 1.5 has been released on 26 June 2023, so is almost a year old now as well.

Version 1.6 has been released on 09 April 2024, so it is almost 2 weeks old now as well, but has been supported since over a month now.

Dependency Track works flawlessly with CycloneDX 1.6.
@XSpielinbox XSpielinbox added the enhancement New feature or request label Apr 21, 2024
@jkowalleck jkowalleck added breaking-change breacking change. causes a new major version. and removed enhancement New feature or request labels Apr 23, 2024
@jkowalleck
Copy link
Member

Newer versions of the spec bring improvements and defaulting to old versions hinders adoption.

Changing de default values has no benefit for nobody in this case - it would not affect the SBOM result in no way. So I do not see your point here.

I am well aware of adopting new standards. But it took the CycloneDX community several months to adopt spec 1.5 when it came to ingesting the data.

Version 1.5 has been released on 26 June 2023, so is almost a year old now as well.

See for example, DependencyTrack - CDX 1.5 support was introduced with on October 16, 2023.

Dependency Track works flawlessly with CycloneDX 1.6.

See https://docs.dependencytrack.org/changelog/

As of today, DT v4.10.1 is the "latest" version. It was built months before CycloneDX 1.6 was released...
So I would not count on that ;-)

It would be very nice, if the newest supported version would be the default, then one doesn't have to specify a spec version and nevertheless can use the latest and greatest version of CycloneDX.

From which none of its features is used in this tool, yet.

All in all, I see your request, and still I do not see any reason to change a default value to 1.6 yet.

-> I will close this issue as soon as the "latest" version became the default. No worries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking-change breacking change. causes a new major version.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jkowalleck @XSpielinbox