Changelog

CHANGELOG

v6.0.0 (2025-04-24)

Features


Signed-off-by: Michael Schlenker michael.schlenker@contact-software.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Co-authored-by: Michael Schlenker michael.schlenker@contact-software.com

Co-authored-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v5.5.0 (2025-04-23)

Features

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v5.4.0 (2025-04-23)

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com


Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Features

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v5.3.0 (2025-02-26)

Features


Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v5.2.0 (2025-02-20)

Documentation

Signed-off-by: lightningRalf lightningRalf@proton.me

Features

fixes #845

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v5.1.2 (2025-01-21)

Bug Fixes

fixes #840


Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v5.1.1 (2024-11-09)

Bug Fixes

fixes #826


Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v5.1.0 (2024-10-23)

Features

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v5.0.0 (2024-10-15)

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Features

BREAKING Changes

  • Emitted metadata tool name is cyclonedx-py, was cyclonedx-bom. * Emitted metadata tools are up to non-deprecated CycloneDX specification. * No longer emit deprecated or undocumented properties in namespace ``cdx:poetry` <https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/poetry.md>`_ (see previous release 4.6.0 for official replacements). - cdx:poetry:source:package:reference - cdx:poetry:package:source:resolved_reference - cdx:poetry:package:source:vcs:requested_revision - cdx:poetry:package:source:vcs:commit_id

The mentioned changes are considered “breaking” for processes that relied on the respective data

structures. Migration paths are self-explanatory.

Dependencies

  • Requires cyclonedx-python-lib>=8.0.0,<9 now, was >=7.3.0,<8.0.0,!=7.3.1.


Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.6.1 (2024-09-30)

Bug Fixes

fixes #804


Signed-off-by: Steve (Gadget) Barnes gadgetsteve@hotmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Co-authored-by: Jan Kowalleck jan.kowalleck@gmail.com

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.6.0 (2024-09-20)

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Features

populate the newly added/fixed CycloneDX properties cdx:python:package:source:vcs:... in

accordance with https://github.com/CycloneDX/cyclonedx-property-taxonomy/pull/96 and https://github.com/CycloneDX/cyclonedx-property-taxonomy/pull/98.

the deprecated properties are still used, so no breaking changes exist.

fixes #789


Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.5.1 (2024-09-18)

Bug Fixes

utilizes flake8 plugin https://pypi.org/project/flake8-copyright-validator/ to assert the correct

headers

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.5.0 (2024-06-10)

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Features

From python environments, gather additional declared license information according to `PEP

639 <https://peps.python.org/pep-0639>`_ (improving license clarity with better package metadata).

New CLI switches for cyclonedx environment: * –PEP-639: Enable license gathering according to

PEP 639 (improving license clarity with better package metadata). The behavior may change during the draft development of the PEP. * --gather-license-texts: Enable license text gathering.

In current state of implementation, --gather-license-texts has effect only if --PEP-639 is also

given.


Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.4.3 (2024-04-26)

Bug Fixes

add regression test for #727 fixes #727


Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.4.2 (2024-04-21)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.4.1 (2024-04-21)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.4.0 (2024-04-21)

Features

Tee container image version of the app is also available on GitHubContainerRegistry:

https://github.com/orgs/CycloneDX/packages/container/package/cyclonedx-python


Signed-off-by: jxdv virgoj@protonmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: semantic-release semantic-release@bot.local

Co-authored-by: jxdv virgoj@protonmail.com

Co-authored-by: semantic-release semantic-release@bot.local

v4.3.0 (2024-04-20)

Features

fixes #718


Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.2.0 (2024-04-18)

Features

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.1.6 (2024-04-15)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.1.5 (2024-04-11)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.1.4 (2024-03-28)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.1.3 (2024-03-15)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.1.2 (2024-03-01)

Build System

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.1.1 (2024-02-03)

Bug Fixes

ALL names of package extras are normalized, according to spec

https://packaging.python.org/en/latest/specifications/name-normalization/#name-normalization


Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.1.0 (2024-02-02)

Features

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v4.0.0 (2024-01-31)

Features

Changelog

See also the migration guide in the docs.

  • BC: Removed support for python < 3.8 - BC: Removed deprecated shell script cyclonedx-bom; use cyclonedx-py instead - BC: Removed conda support. However, conda’s Python environments are fully supported. See below. - BC: Removed public API. You may use the CLI instead, see chapter “usage” in the docs. - BC: Complete redesign of the CommandLineInterface(CLI): - Uses sub-commands for easy accessibility and divide in specific purposes and domains - Easy understandable flags, switches and options – in accordance with the domains - Updated help pages, added usage examples

    • Dozens of new features and fixes, such as: - environment analyzer supports any Python (virtual) environment – including support for, but not limited to: conda, Hatch, PDM, Pipenv, Poetry, venv, virtualenv - Poetry analyzer support groups, filtering, and such - Pipenv analyzer support categories, filtering, and such - requirements analyzer is feature complete and fixed - More details in the SBOM results (based on method) - PackageURLs may have more qualifiers (enabled per default, disable via --short-PURLs) - component properties according to official taxonomy - SBOM results may be validated (enabled per default, disable via --no-validate) - SBOM results may have dependency graph populated (if supported by method - applies to environment and Poetry) - SBOM results may have root-component populated (if pyproject provided) - SBOM results are more diff-friendly and not just one long line of text - Fixed possible issues with input data encoding - May omit dev-dependencies or domain-specific groups/categories (if supported by method and issued by CLI switches) - Strip authentication secrets from (private) download/index URLs - Support CycloneDX 1.5 - which is the default now - Upgraded documentation, examples, … - Complete rewrite from scratch - Dependencies were bumped, dropped, added, … - QA and test suites were massively enhanced


Signed-off-by: Paul Horton paul.horton@owasp.org

Signed-off-by: Thomas Graf thomas.graf@siemens.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: dependabot[bot] support@github.com

Signed-off-by: Andreas Fehlner fehlner@arcor.de

Signed-off-by: Jan Kowalleck jan.kowalleck@owasp.org

Signed-off-by: semantic-release

Co-authored-by: Paul Horton paul.horton@owasp.org

Co-authored-by: Thomas Graf thomas.graf@siemens.com

Co-authored-by: semantic-release

Co-authored-by: dependabot[bot] 49699333+dependabot[bot]@users.noreply.github.com

Co-authored-by: github-actions github-actions@github.com

Co-authored-by: Andreas Fehlner fehlner@arcor.de

v3.11.7 (2023-11-03)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.11.6 (2023-11-03)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.11.5 (2023-10-20)

Bug Fixes

The custom input specified via CLI’s -i option did not properly detect the input encoding. This

was fixed.

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.11.4 (2023-10-19)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.11.3 (2023-10-19)

Bug Fixes

Input files in lock-format are expected in a certain encoding, other input file encodings are

detected.

fixes https://github.com/CycloneDX/cyclonedx-python/issues/448


Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Co-authored-by: Jan Kowalleck jan.kowalleck@gmail.com

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.11.2 (2023-07-12)

Bug Fixes

somebody renamed the master branch to main. but forgot to transition the docs.

fixed this

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.11.1 (2023-07-12)

Bug Fixes

it's -> its

fixes #551

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.11.0 (2023-02-11)

Documentation

caused by https://github.com/badges/shields/issues/8671

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Thomas Beutlich thomas.beutlich@neocx.de

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Co-authored-by: Jan Kowalleck jan.kowalleck@gmail.com

Features

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.10.1 (2022-12-15)

Bug Fixes

Signed-off-by: Roland Weber rolweber@de.ibm.com

Documentation

Signed-off-by: Roland Weber rolweber@de.ibm.com

v3.10.0 (2022-12-13)

Features

Signed-off-by: tewfik-ghariani tewfik.ghariani@1und1.de

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Co-authored-by: tewfik-ghariani tewfik.ghariani@1und1.de

v3.9.0 (2022-12-13)

Features

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.8.0 (2022-12-12)

Features

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.7.4 (2022-12-12)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.7.3 (2022-12-11)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.7.2 (2022-11-15)

Bug Fixes

Documentation

v3.7.1 (2022-11-10)

Bug Fixes

fixes #440

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.7.0 (2022-11-10)

Features

Signed-off-by: a1lu github.foreshoe@slmail.me

v3.6.4 (2022-11-10)

Bug Fixes

Signed-off-by: a1lu github.foreshoe@slmail.me

v3.6.3 (2022-09-19)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.6.2 (2022-09-19)

Bug Fixes

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.6.1 (2022-09-19)

Bug Fixes

use named licenses instead of license expressions.

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.6.0 (2022-09-16)

Documentation

fixes #414

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Features

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.5.0 (2022-06-27)

v3.4.0 (2022-06-16)

v3.3.0 (2022-06-16)

v3.2.2 (2022-06-02)

Bug Fixes

v3.2.1 (2022-04-05)

Bug Fixes

fixes #337

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.2.0 (2022-04-05)

Bug Fixes

Signed-off-by: Mostafa Moradian mostafamoradian0@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Co-authored-by: Mostafa Moradian mostafamoradian0@gmail.com

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Features

fixes #321

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.1.1 (2022-03-21)

Bug Fixes

conda packacge string parser no longer raises unexpected errors, if the build-number is non-numeric.

fixes #331

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v3.1.0 (2022-03-10)

Bug Fixes

Signed-off-by: Mostafa Moradian mostafamoradian0@gmail.com

Signed-off-by: Mostafa Moradian mostafamoradian0@gmail.com

Documentation

Signed-off-by: Mostafa Moradian mostafamoradian0@gmail.com

Features

Signed-off-by: Mostafa Moradian mostafamoradian0@gmail.com

v3.0.0 (2022-02-21)

Features

Signed-off-by: Paul Horton paul.horton@owasp.org

BREAKING CHANGE: Default Schema Version has been replaced by notion of LATEST supported Schema

Version

Signed-off-by: Paul Horton paul.horton@owasp.org

Signed-off-by: Paul Horton paul.horton@owasp.org

Signed-off-by: Paul Horton paul.horton@owasp.org

Breaking Changes

  • Default Schema Version has been replaced by notion of LATEST supported Schema Version

v2.0.3 (2022-02-03)

Bug Fixes

fixes #308

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

v2.0.2 (2022-02-03)

Bug Fixes

Bind reading from stdin on specifying -i -. This is part of

``argparse.FileType` <https://docs.python.org/3/library/argparse.html?highlight=pseudo-argument#argparse.FileType>`_.

Local tests under the following conditions:

  • implicit reading poetry.lock using args -p -o - * explicit reading poetry.lock using args -p -i poetry.lock -o - * explicit reading poetry.lock file after renaming using cat p.lock | python -m cyclonedx_py.client -p -i - -o -

Signed-off-by: Theodor van Nahl theo@van-nahl.org

v2.0.1 (2022-01-24)

Bug Fixes

Signed-off-by: Paul Horton paul.horton@owasp.org

v2.0.0 (2022-01-13)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton paul.horton@owasp.org

Documentation

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

  • README: fixed fenced-code and lists

  • README: shields got modernixed and linked

  • README: harmonized links

Features

v1.5.3 (2021-11-23)

v1.5.2 (2021-11-23)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

v1.5.1 (2021-11-23)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

v1.5.0 (2021-11-17)

Features

Signed-off-by: Jan Kowalleck jan.kowalleck@gmail.com

  • add py-version classifiers

v1.4.3 (2021-11-16)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

v1.4.2 (2021-11-12)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

v1.4.1 (2021-10-26)

Bug Fixes

v1.4.0 (2021-10-21)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Features

Signed-off-by: Paul Horton phorton@sonatype.com

v1.3.1 (2021-10-19)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

v1.3.0 (2021-10-19)

Features

Signed-off-by: Paul Horton phorton@sonatype.com

v1.2.0 (2021-10-12)

Features

Signed-off-by: Paul Horton phorton@sonatype.com

v1.1.0 (2021-10-04)

Features

Signed-off-by: Paul Horton phorton@sonatype.com

v1.0.5 (2021-09-27)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

v1.0.4 (2021-09-27)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

v1.0.3 (2021-09-27)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

Build System

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

v1.0.2 (2021-09-13)

Bug Fixes

v1.0.1 (2021-09-13)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

v0.4.3 (2020-12-06)

v0.4.2 (2020-10-08)

v0.4.1 (2020-09-09)

v0.4.0 (2020-09-03)

v0.3.5 (2019-12-04)

v0.3.4 (2019-12-04)

v0.3.3 (2019-11-13)