v0.5.4

What's Changed

• Stop escaping HTML by @kzantow in #224
• Don't create empty ExcludedFiles array by @DmitriyLewen in #230
• Add external reference category OTHER by @mcombuechen in #229
• Remove empty packageVerificationCode in 2.2 JSON by @kzantow in #223

New Contributors

• @mcombuechen made their first contribution in #229

Full Changelog: v0.5.3...v0.5.4

v0.5.3

What's Changed

• Fix: SPDX decode error originator by @spiffcs in #221

New Contributors

• @spiffcs made their first contribution in #221

Full Changelog: v0.5.2...v0.5.3

v0.5.2

What's Changed

• fix duplicate shorthand relationships for opposite case by @lumjjb in #220

Full Changelog: v0.5.1...v0.5.2

v0.5.1

What's Changed

• Add ability to specify JSON output options by @DmitriyLewen in #213
• Fix some optional params: copyrightText, licenseListVersion, packageVerificationCode by @lumjjb in #215
• Properly output and read the filesAnalyzed field in JSON/YAML by @kzantow in #210
• Ensure no duplicates in relationships when shortcut fields are used. by @lumjjb in #218

New Contributors

• @testwill made their first contribution in #212
• @DmitriyLewen made their first contribution in #213

Full Changelog: v0.5.0...v0.5.1

v0.5.0

This is the first release which includes a significant refactoring of this library and includes the ability to convert between SPDX document versions (2.1 - 2.3).

NOTE: This version has a major refactoring how to use the library. This is now much more streamlined. Prior to this change, it was required to import things like spdx/v2_2 and directly reference those version files. This refactoring moves usage to have a "common model", which ends up being the latest SPDX version, available at the same package across releases: github.com/spdx/tools-golang/spdx. This means when upgrading versions of tools-golang, you can always get the latest version supported by the library and support reading older versions due to the automatic conversions that the reading functions provide.

To get an idea of what is involved (it really isn't a lot of work), you can have a look at the Syft PR that upgraded to use the new interfaces: anchore/syft#1503

After upgrading to this usage pattern, subsequent updates of the tools-golang library will only require changes to your code if the latest model changes (for example, when 3.0 is implemented -- but your older 2.x files will still work fine to read in and export).

What's new

• Refactor: maintain the latest SPDX model and provide conversions from previous by @kzantow in #172
• Added more const for external reference to external.go by @neilnaveen in #188

Bug fixes

• Fixed Bug For DocumentComment by @neilnaveen in #185 and #187
• Improve SPDX document validation by @neilnaveen in #200
• Read shortcut fields: documentDescribes and hasFiles by @kzantow in #201
• JSON reading/writing sets appropriate PACKAGE-MANAGER enum based on version by @lumjjb in #204

New Contributors

• @jspeed-meyers made their first contribution in #181
• @neilnaveen made their first contribution in #185

Full Changelog: v0.4.0...v0.5.0

v0.5.0-rc1

This is the first release candidate which is a significant refactoring of this library and includes the ability to convert between SPDX document versions (2.1 - 2.3).

Full Changelog: v0.4.0...v0.5.0-rc1

v0.4.0

0.4.0

New Features and Enhancements

• SPDX v2.3 support #164
• YAML support #134
• Add reference types enumerables to SPDX pkg definition #162 #163
• Expand hash algorithm support to include all valid SPDX 2.2 and 2.3 algorithms #173

Bug fixes

• JSON encoding and decoding not properly handling SPDXRef- prefixes #170

Documentation and Cleanup

• Overhaul structs, refactor JSON parser and saver #133
• YAML documentation and JSON documentation fixes #141
• Convert SPDX structs to versioned pkgs #146
• Ensure consistency between JSON struct tags across different SPDX versions #174
• Add Security.md for handling of security issues #154
• Update build workflow to go 1.18 #148

Contributors

• @ianling
• @CatalinStratu
• @lumjjb
• @pxp928
• @kzantow
• @puerco
• @jedevc

v0.3.0

New Features and Enhancements

• Add support for saving SPDX JSON: #92, #94, #97, #98, #104, #106, #113
• Begin OpenSSF Best Practices process and add initial badge: #111
  • also enabled branch protection for main branch

Bug fixes

• tvsaver: Fix incorrect tag for Snippet IDs: #95
• GitHub Actions: Fix incorrect branch for code coverage: #112
• builder: Fix file paths to be relative rather than absolute: #114
• builder: Add missing mandatory field LicenseInfoInFile: #119

Documentation and Cleanup

• Fix link to release notes: #91
• Language fixes for JSON documentation: #108
• Add badges and links for releases and documentation: #109
• Update documentation for release: #121, #122
• Fixes for examples and sample run commands: #123, #125, #126, #127

Contributors

• @CatalinStratu
• @specter25
• @swinslow

v0.3.0-rc1

Release Candidate 1 for v0.3.0

See draft release notes for v0.3.0 in RELEASE-NOTES.md

v0.2.0

New Features and Enhancements

• Add support for parsing SPDX JSON: #72, #75, #83, #84, #87
  • bug fixes in interim versions: #77, #78, #79, #80, #81, #82
• Improve handling of multiple hash checksum types: #41, #49, #60
• Enable filtering relationships by various relationship types: #71, #74
• Improve package license visibility: #65, #66
• Rename primary branch to 'main': #69
• Add release notes and push release: #85, #90

Bug fixes

• Fix multiline (<text>) wrapping for various fields: #31, #53, #58, #89, #76
• Fix special SPDX IDs in right-hand side of Relationships: #59, #63, #68
• Throw error when parsing tag-value elements without SPDX IDs: #26, #64
• Fix missing colon in 'excludes' for Package Verification Code when saving tag-value documents: #86, #88
• Fix incorrect license statement: #70

Contributors

• @autarch
• @bisakhmondal
• @ianling
• @matthewkmayer
• @RishabhBhatnagar
• @specter25
• @swinslow