feat: Release 4.0.0 #341)

Highlights of this release include:
* Support for De-serialization from JSON and XML to this Pythonic Model
* Deprecation of Python 3.6 support
* Support for Python 3.11
* Support for `BomLink`
* Support VEX without needing `Component` in the same `Bom`
* Support for `services` having `dependencies`

BREAKING CHANGE: Large portions of this library have been re-written for this release and many methods and contracts have changed.

Signed-off-by: Paul Horton <paul.horton@owasp.org>

* feat: support VEX without Components in the same BOM

BREAKING CHANGE: Model classes changed to relocated Vulnerability at Bom, not at Component

Signed-off-by: Paul Horton <paul.horton@owasp.org>

* feat: support VEX without Components in the same BOM

BREAKING CHANGE: Model classes changed to relocated Vulnerability at Bom, not at Component

Signed-off-by: Paul Horton <paul.horton@owasp.org>

feat: allow `version` of BOM to be defined

feat: allow `serial_number` of BOM to be prescribed

feat: add helper method to get URN for a BOM according to https://www.iana.org/assignments/urn-formal/cdx
Signed-off-by: Paul Horton <paul.horton@owasp.org>

* chore: fix release workflow

* chore: editorconfig

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

* feat: support for deserialization from JSON and XML (#290)

BREAKING CHANGE:

* feat: drop Python 3.6 support

Signed-off-by: Hakan Dilek <hakandilek@gmail.com>
Signed-off-by: Paul Horton <paul.horton@owasp.org>
Co-authored-by: Hakan Dilek <hakandilek@gmail.com>
Co-authored-by: Hakan Dilek <hakandilek@users.noreply.github.com>

* fix: update `serializable` to include XML safety changes

Signed-off-by: Paul Horton <paul.horton@owasp.org>

* feat: Support for Python 3.11 (#349)

* feat: officially test and support Python 3.11

Signed-off-by: Paul Horton <paul.horton@owasp.org>

* removed unused imports

Signed-off-by: Paul Horton <paul.horton@owasp.org>

* bump `poetry` to `1.1.12` in CI

Signed-off-by: Paul Horton <paul.horton@owasp.org>

* fix: remove `toml` as dependency as not used and seems to be breaking Python 3.11 CI

Signed-off-by: Paul Horton <paul.horton@owasp.org>

* fix: removed `types-toml` from dependencies - not used

Signed-off-by: Paul Horton <paul.horton@owasp.org>

---------

Signed-off-by: Paul Horton <paul.horton@owasp.org>

* fix: removed `autopep8` in favour of `flake8` as both have conflicting dependencies now

Signed-off-by: Paul Horton <paul.horton@owasp.org>

* chore: bump dev dependencies

fix: removed `setuptools` as dependency
Signed-off-by: Paul Horton <paul.horton@owasp.org>

* tests: compoennt versions optional (#350)

* chore: exclude `venv*` from QA; add typing to QA

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

* tests: component versions are optional

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

* doc: doc updates for new deserialization feature

Signed-off-by: Paul Horton <paul.horton@owasp.org>

* doc: doc updates for contribution

Signed-off-by: Paul Horton <paul.horton@owasp.org>

---------

Signed-off-by: Paul Horton <paul.horton@owasp.org>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Hakan Dilek <hakandilek@gmail.com>
Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Co-authored-by: Hakan Dilek <hakandilek@gmail.com>
Co-authored-by: Hakan Dilek <hakandilek@users.noreply.github.com>

Author: 3 people

.github/workflows/deploy.yml

@@ -4,9 +4,9 @@ on:
   push:
     branches: [ 'main' ]
   workflow_dispatch:
-  
+
 env:
-  PYTHON_VERSION_DEFAULT: "3.10"
+  PYTHON_VERSION_DEFAULT: "3.11"
   POETRY_VERSION: "1.1.12"
 
 jobs:
@@ -22,14 +22,14 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-          
+
       - name: Setup python
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
           architecture: 'x64'
-          
+
       - name: Install and configure Poetry
         # See https://github.com/marketplace/actions/install-poetry-action
         uses: snok/install-poetry@v1
@@ -38,17 +38,17 @@ jobs:
           virtualenvs-create: true
           virtualenvs-in-project: true
           installer-parallel: true
-          
+
       - name: Install dependencies
         run: poetry install --no-root
 
       - name: View poetry version
         run: poetry --version
-        
+
       - name: Python Semantic Release
         # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html
         # see https://github.com/relekang/python-semantic-release
-        uses: relekang/python-semantic-release@v7.33.1
+        uses: relekang/python-semantic-release@v7.33.2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           repository_username: __token__

.github/workflows/manual-release-candidate.yml

@@ -25,7 +25,7 @@ jobs:
           python -m pip install poetry --upgrade pip
           poetry config virtualenvs.create false
           poetry install
-          python -m pip install python-semantic-release
+          python -m pip install python-semantic-release==7.28.1
       - name: Apply Pre Release Version
         run: |
           RC_VERSION="$(semantic-release --noop --major print-version)-${{ github.event.inputs.release_candidate_suffix }}"