Merge branch 'CycloneDX:main' into main

Author: saquibsaifee

.github/workflows/python.yml

@@ -4,14 +4,14 @@ name: Python CI
 
 on:
   push:
-    branches: ["main"]
+    branches: ["main", "next"]
+    tags: [ 'v*' ]
   pull_request:
-    branches-ignore: ['dependabot/**']
   workflow_dispatch:
   schedule:
-    # schedule weekly tests, since some dependencies are not intended to be pinned
-    # this means: at 23:42 on Fridays
-    - cron: '42 23 * * 5'
+    # schedule daily tests, since some dependencies are not intended to be pinned
+    # this means: at 23:42 every day
+    - cron: '42 23 * * *'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -82,7 +82,7 @@ jobs:
         include:
           - # test with the latest dependencies
             os: ubuntu-latest
-            python-version: '3.12'
+            python-version: '3.13'
             toxenv-factors: '-current'
           - # test with the lowest dependencies
             os: ubuntu-latest
@@ -117,7 +117,8 @@ jobs:
       matrix:
         os: ['ubuntu-latest', 'windows-latest', 'macos-13']
         python-version:
-          - "3.12" # highest supported
+          - "3.13" # highest supported
+          - "3.12"
           - "3.11"
           - "3.10"
           - "3.9"
@@ -215,7 +216,7 @@ jobs:
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v5
         with:
-          python-version: '>=3.8 <=3.12'  # supported version range
+          python-version: '>=3.8 <=3.13'  # supported version range
       - name: Validate Python Environment
         shell: python
         run: |

.pre-commit-config.yaml

@@ -4,7 +4,7 @@ repos:
     hooks:
       - id: system
         name: mypy
-        entry: poetry run tox -e mypy-locked
+        entry: poetry run tox -e mypy-current
         pass_filenames: false
         language: system
   - repo: local

CHANGELOG.md

@@ -2,6 +2,67 @@
 
 
 
+## v8.3.0 (2024-10-26)
+
+### Documentation
+
+* docs: revisit examples readme (#725)
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`e9020f0`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/e9020f0b709a5245d1749d2811b8568f892869bb))
+
+### Feature
+
+* feat: add basic support for Definitions  (#701)
+
+
+
+---------
+
+Signed-off-by: Hakan Dilek <[email protected]> ([`a1573e5`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/a1573e5af12bb54c7328c73971dc2c2f8d820c0a))
+
+
+## v8.2.1 (2024-10-24)
+
+### Fix
+
+* fix: encode quotation mark in URL (#724)
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`a7c7c97`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/a7c7c97c37ee1c7988c028aa779f74893f858c7b))
+
+
+## v8.2.0 (2024-10-22)
+
+### Feature
+
+* feat: Add Python 3.13 support (#718)
+
+Signed-off-by: gruebel <[email protected]> ([`d4be3ba`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/d4be3ba6b3ccc65553a7dd10ad559c1eddfbb19b))
+
+
+## v8.1.0 (2024-10-21)
+
+### Documentation
+
+* docs: fix code examples regarding outputting (#709)
+
+
+
+Signed-off-by: Hakan Dilek <[email protected]> ([`c72d5f4`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/c72d5f483d5c1990fe643c4c25e37373d4d3248f))
+
+### Feature
+
+* feat: add support for Lifecycles in BOM metadata (#698)
+
+
+
+---------
+
+Signed-off-by: Johannes Feichtner <[email protected]>
+Signed-off-by: Jan Kowalleck <[email protected]>
+Signed-off-by: Johannes Feichtner <[email protected]>
+Co-authored-by: Jan Kowalleck <[email protected]> ([`6cfeb71`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/6cfeb711f11aec8fa4d7be885f6797cc2eaa7e67))
+
+
 ## v8.0.0 (2024-10-14)
 
 ### Breaking

cyclonedx/__init__.py

@@ -22,4 +22,4 @@
 
 # !! version is managed by semantic_release
 # do not use typing here, or else `semantic_release` might have issues finding the variable
-__version__ = "8.0.0"  # noqa:Q000
+__version__ = "8.3.0"  # noqa:Q000

cyclonedx/_internal/__init__.py

@@ -20,3 +20,6 @@
 !!! ALL SYMBOLS IN HERE ARE INTERNAL.
 Everything might change without any notice.
 """
+
+# THIS FILE IS INTENDED TO BE EMPTY.
+# Put symbols in own modules/packages, not in this file!

cyclonedx/_internal/bom_ref.py

@@ -0,0 +1,51 @@
+# This file is part of CycloneDX Python Library
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+
+"""
+!!! ALL SYMBOLS IN HERE ARE INTERNAL.
+Everything might change without any notice.
+"""
+
+from typing import Literal, Optional, Union, overload
+
+from ..model.bom_ref import BomRef
+
+
+@overload
+def bom_ref_from_str(bom_ref: BomRef, optional: bool = ...) -> BomRef:
+    ...  # pragma: no cover
+
+
+@overload
+def bom_ref_from_str(bom_ref: Optional[str], optional: Literal[False] = False) -> BomRef:
+    ...  # pragma: no cover
+
+
+@overload
+def bom_ref_from_str(bom_ref: Optional[str], optional: Literal[True] = ...) -> Optional[BomRef]:
+    ...  # pragma: no cover
+
+
+def bom_ref_from_str(bom_ref: Optional[Union[str, BomRef]], optional: bool = False) -> Optional[BomRef]:
+    if isinstance(bom_ref, BomRef):
+        return bom_ref
+    if bom_ref:
+        return BomRef(value=str(bom_ref))
+    return None \
+        if optional \
+        else BomRef()

cyclonedx/model/__init__.py

@@ -689,6 +689,8 @@ class XsUri(serializable.helpers.BaseHelper):
 
     __SPEC_REPLACEMENTS = (
         (' ', '%20'),
+        ('"', '%22'),
+        ("'", '%27'),
         ('[', '%5B'),
         (']', '%5D'),
         ('<', '%3C'),

cyclonedx/model/bom.py

@@ -41,8 +41,10 @@
 from .bom_ref import BomRef
 from .component import Component
 from .contact import OrganizationalContact, OrganizationalEntity
+from .definition import Definitions
 from .dependency import Dependable, Dependency
 from .license import License, LicenseExpression, LicenseRepository
+from .lifecycle import Lifecycle, LifecycleRepository, _LifecycleRepositoryHelper
 from .service import Service
 from .tool import Tool, ToolRepository, _ToolRepositoryHelper
 from .vulnerability import Vulnerability
@@ -70,6 +72,7 @@ def __init__(
         properties: Optional[Iterable[Property]] = None,
         timestamp: Optional[datetime] = None,
         manufacturer: Optional[OrganizationalEntity] = None,
+        lifecycles: Optional[Iterable[Lifecycle]] = None,
         # Deprecated as of v1.6
         manufacture: Optional[OrganizationalEntity] = None,
     ) -> None:
@@ -81,6 +84,7 @@ def __init__(
         self.licenses = licenses or []  # type:ignore[assignment]
         self.properties = properties or []  # type:ignore[assignment]
         self.manufacturer = manufacturer
+        self.lifecycles = lifecycles or []  # type:ignore[assignment]
 
         self.manufacture = manufacture
         if manufacture:
@@ -105,16 +109,23 @@ def timestamp(self) -> datetime:
     def timestamp(self, timestamp: datetime) -> None:
         self._timestamp = timestamp
 
-    # @property
-    # ...
-    # @serializable.view(SchemaVersion1Dot5)
-    # @serializable.xml_sequence(2)
-    # def lifecycles(self) -> ...:
-    #    ... # TODO since CDX1.5
-    #
-    # @lifecycles.setter
-    # def lifecycles(self, ...) -> None:
-    #    ... # TODO since CDX1.5
+    @property
+    @serializable.view(SchemaVersion1Dot5)
+    @serializable.view(SchemaVersion1Dot6)
+    @serializable.type_mapping(_LifecycleRepositoryHelper)
+    @serializable.xml_sequence(2)
+    def lifecycles(self) -> LifecycleRepository:
+        """
+        An optional list of BOM lifecycle stages.
+
+        Returns:
+            Set of `Lifecycle`
+        """
+        return self._lifecycles
+
+    @lifecycles.setter
+    def lifecycles(self, lifecycles: Iterable[Lifecycle]) -> None:
+        self._lifecycles = LifecycleRepository(lifecycles)
 
     @property
     @serializable.type_mapping(_ToolRepositoryHelper)
@@ -290,7 +301,7 @@ def __eq__(self, other: object) -> bool:
     def __hash__(self) -> int:
         return hash((
             tuple(self.authors), self.component, tuple(self.licenses), self.manufacture, tuple(self.properties),
-            self.supplier, self.timestamp, self.tools, self.manufacturer,
+            tuple(self.lifecycles), self.supplier, self.timestamp, self.tools, self.manufacturer
         ))
 
     def __repr__(self) -> str:
@@ -317,6 +328,7 @@ def __init__(
         dependencies: Optional[Iterable[Dependency]] = None,
         vulnerabilities: Optional[Iterable[Vulnerability]] = None,
         properties: Optional[Iterable[Property]] = None,
+        definitions: Optional[Definitions] = None,
     ) -> None:
         """
         Create a new Bom that you can manually/programmatically add data to later.
@@ -333,6 +345,7 @@ def __init__(
         self.vulnerabilities = vulnerabilities or []  # type:ignore[assignment]
         self.dependencies = dependencies or []  # type:ignore[assignment]
         self.properties = properties or []  # type:ignore[assignment]
+        self.definitions = definitions or Definitions()
 
     @property
     @serializable.type_mapping(UrnUuidHelper)
@@ -542,6 +555,22 @@ def vulnerabilities(self, vulnerabilities: Iterable[Vulnerability]) -> None:
     # def formulation(self, ...) -> None:
     #     ...  # TODO Since CDX 1.5
 
+    @property
+    @serializable.view(SchemaVersion1Dot6)
+    @serializable.xml_sequence(110)
+    def definitions(self) -> Optional[Definitions]:
+        """
+        The repository for definitions
+
+        Returns:
+            `DefinitionRepository`
+        """
+        return self._definitions if len(self._definitions.standards) > 0 else None
+
+    @definitions.setter
+    def definitions(self, definitions: Definitions) -> None:
+        self._definitions = definitions
+
     def get_component_by_purl(self, purl: Optional['PackageURL']) -> Optional[Component]:
         """
         Get a Component already in the Bom by its PURL

cyclonedx/model/component.py

@@ -27,6 +27,7 @@
 from packageurl import PackageURL
 from sortedcontainers import SortedSet
 
+from .._internal.bom_ref import bom_ref_from_str as _bom_ref_from_str
 from .._internal.compare import ComparablePackageURL as _ComparablePackageURL, ComparableTuple as _ComparableTuple
 from .._internal.hash import file_sha1sum as _file_sha1sum
 from ..exception.model import InvalidOmniBorIdException, InvalidSwhidException, NoPropertiesProvidedException
@@ -1098,10 +1099,7 @@ def __init__(
     ) -> None:
         self.type = type
         self.mime_type = mime_type
-        if isinstance(bom_ref, BomRef):
-            self._bom_ref = bom_ref
-        else:
-            self._bom_ref = BomRef(value=str(bom_ref) if bom_ref else None)
+        self._bom_ref = _bom_ref_from_str(bom_ref)
         self.supplier = supplier
         self.manufacturer = manufacturer
         self.authors = authors or []  # type:ignore[assignment]

cyclonedx/model/contact.py

@@ -21,6 +21,7 @@
 import serializable
 from sortedcontainers import SortedSet
 
+from .._internal.bom_ref import bom_ref_from_str as _bom_ref_from_str
 from .._internal.compare import ComparableTuple as _ComparableTuple
 from ..exception.model import NoPropertiesProvidedException
 from ..schema.schema import SchemaVersion1Dot6
@@ -49,8 +50,7 @@ def __init__(
         postal_code: Optional[str] = None,
         street_address: Optional[str] = None,
     ) -> None:
-        self._bom_ref = bom_ref if isinstance(bom_ref, BomRef) else BomRef(
-            value=bom_ref) if bom_ref else None
+        self._bom_ref = _bom_ref_from_str(bom_ref, optional=True)
         self.country = country
         self.region = region
         self.locality = locality