Merge pull request #311 from CycloneDX/feat/update-lib-2.0.x

BREAKING CHANGE: update to latest RC of `cyclonedx-python-lib`

Author: madpah

README.md

@@ -44,7 +44,7 @@ Once installed, you can access the full documentation by running `--help`:
 ```text
 $ cyclonedx-bom --help
 usage: cyclonedx-bom [-h] (-c | -cj | -e | -p | -pip | -r) [-i FILE_PATH]
-                 [--format {json,xml}] [--schema-version {1.3,1.2,1.1,1.0}]
+                 [--format {json,xml}] [--schema-version {1.4,1.3,1.2,1.1,1.0}]
                  [-o FILE_PATH] [-F] [-X]
 
 CycloneDX SBOM Generator
@@ -83,9 +83,9 @@ SBOM Output Configuration:
   Choose the output format and schema version
 
   --format {json,xml}   The output format for your SBOM (default: xml)
-  --schema-version {1.3,1.2,1.1,1.0}
+  --schema-version {1.4,1.3,1.2,1.1,1.0}
                         The CycloneDX schema version for your SBOM (default:
-                        1.3)
+                        1.4)
   -o FILE_PATH, --o FILE_PATH, --output FILE_PATH
                         Output file path for your SBOM (set to '-' to output
                         to STDOUT)

cyclonedx_py/__init__.py

@@ -0,0 +1,16 @@
+# encoding: utf-8
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.

cyclonedx_py/client.py

@@ -89,7 +89,7 @@ def get_output(self) -> BaseOutput:
             from importlib.metadata import version as md_version
         else:
             from importlib_metadata import version as md_version  # type: ignore
-        bom.metadata.add_tool(tool=Tool(
+        bom.metadata.tools.add(Tool(
             vendor='CycloneDX', name='cyclonedx-bom', version=md_version('cyclonedx-bom')
         ))
 
@@ -181,7 +181,7 @@ def get_arg_parser() -> argparse.ArgumentParser:
             dest='output_format'
         )
         output_group.add_argument(
-            '--schema-version', action='store', choices=['1.4', '1.3', '1.2', '1.1', '1.0'], default='1.3',
+            '--schema-version', action='store', choices=['1.4', '1.3', '1.2', '1.1', '1.0'], default='1.4',
             help='The CycloneDX schema version for your SBOM (default: %(default)s)',
             dest='output_schema_version'
         )

cyclonedx_py/parser/__init__.py

@@ -13,6 +13,7 @@
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
 
 """
 Set of concrete classes and methods which allow for quick creation of a Bom instance from your environment or Python

cyclonedx_py/parser/conda.py

@@ -21,7 +21,7 @@
 from abc import ABCMeta, abstractmethod
 from typing import List
 
-from cyclonedx.model import ExternalReference, ExternalReferenceType
+from cyclonedx.model import ExternalReference, ExternalReferenceType, XsUri
 from cyclonedx.model.component import Component
 from cyclonedx.parser import BaseParser
 # See https://github.com/package-url/packageurl-python/issues/65
@@ -65,9 +65,9 @@ def _conda_packages_to_components(self) -> None:
                     type='pypi', name=conda_package['name'], version=str(conda_package['version'])
                 )
             )
-            c.add_external_reference(ExternalReference(
+            c.external_references.add(ExternalReference(
                 reference_type=ExternalReferenceType.DISTRIBUTION,
-                url=conda_package['base_url'],
+                url=XsUri(conda_package['base_url']),
                 comment=f"Distribution name {conda_package['dist_name']}"
             ))
 

cyclonedx_py/parser/environment.py

@@ -68,14 +68,12 @@ def __init__(self) -> None:
                 c.author = i_metadata['Author']
 
             if 'License' in i_metadata and i_metadata['License'] != 'UNKNOWN':
-                c.licenses.append(
-                    LicenseChoice(license_expression=i_metadata['License'])
-                )
+                c.licenses.add(LicenseChoice(license_expression=i_metadata['License']))
 
             if 'Classifier' in i_metadata:
                 for classifier in i_metadata['Classifier']:
                     if str(classifier).startswith('License :: OSI Approved :: '):
-                        c.licenses.append(
+                        c.licenses.add(
                             LicenseChoice(
                                 license_expression=str(classifier).replace('License :: OSI Approved :: ', '').strip()
                             )

cyclonedx_py/parser/pipenv.py

@@ -20,7 +20,7 @@
 import json
 from typing import Any, Dict
 
-from cyclonedx.model import ExternalReference, ExternalReferenceType, HashType
+from cyclonedx.model import ExternalReference, ExternalReferenceType, HashType, XsUri
 from cyclonedx.model.component import Component
 from cyclonedx.parser import BaseParser
 # See https://github.com/package-url/packageurl-python/issues/65
@@ -48,11 +48,11 @@ def __init__(self, pipenv_contents: str) -> None:
                 for pip_hash in package_data['hashes']:
                     ext_ref = ExternalReference(
                         reference_type=ExternalReferenceType.DISTRIBUTION,
-                        url=c.get_pypi_url(),
+                        url=XsUri(c.get_pypi_url()),
                         comment='Distribution available from pypi.org'
                     )
-                    ext_ref.add_hash(HashType.from_composite_str(pip_hash))
-                    c.add_external_reference(ext_ref)
+                    ext_ref.hashes.add(HashType.from_composite_str(pip_hash))
+                    c.external_references.add(ext_ref)
 
             self._components.append(c)
 

cyclonedx_py/parser/poetry.py

@@ -18,7 +18,7 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
 from cyclonedx.exception.model import UnknownHashTypeException
-from cyclonedx.model import ExternalReference, ExternalReferenceType, HashType
+from cyclonedx.model import ExternalReference, ExternalReferenceType, HashType, XsUri
 from cyclonedx.model.component import Component
 from cyclonedx.parser import BaseParser
 # See https://github.com/package-url/packageurl-python/issues/65
@@ -41,9 +41,9 @@ def __init__(self, poetry_lock_contents: str) -> None:
 
             for file_metadata in poetry_lock['metadata']['files'][package['name']]:
                 try:
-                    component.add_external_reference(ExternalReference(
+                    component.external_references.add(ExternalReference(
                         reference_type=ExternalReferenceType.DISTRIBUTION,
-                        url=component.get_pypi_url(),
+                        url=XsUri(component.get_pypi_url()),
                         comment=f'Distribution file: {file_metadata["file"]}',
                         hashes=[HashType.from_composite_str(file_metadata['hash'])]
                     ))

cyclonedx_py/py.typed

@@ -0,0 +1,2 @@
+# Marker file for PEP 561.  This package uses inline types.
+# This file is needed to allow other packages to type-check their code against this package.

cyclonedx_py/utils/__init__.py

@@ -0,0 +1,20 @@
+# encoding: utf-8
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+"""
+Set of utility classes.
+"""

poetry.lock

@@ -16,16 +16,26 @@ include = [
 classifiers = [
     # Trove classifiers - https://packaging.python.org/specifications/core-metadata/#metadata-classifier
     # Full list: https://pypi.python.org/pypi?%3Aaction=list_classifiers
+    'Development Status :: 5 - Production/Stable',
+    'Intended Audience :: Developers',
+    'Intended Audience :: Information Technology',
+    'Intended Audience :: Legal Industry',
+    'Intended Audience :: System Administrators',
+    'Topic :: Security',
+    'Topic :: Software Development',
+    'Topic :: System :: Software Distribution',
+    'License :: OSI Approved :: Apache Software License',
     'Programming Language :: Python :: 3.6',
     'Programming Language :: Python :: 3.7',
     'Programming Language :: Python :: 3.8',
     'Programming Language :: Python :: 3.9',
-    'Programming Language :: Python :: 3.10'
+    'Programming Language :: Python :: 3.10',
+    'Typing :: Typed'
 ]
 
 [tool.poetry.dependencies]
 python = "^3.6"
-cyclonedx-python-lib = "^1.3.0"
+cyclonedx-python-lib = ">= 2.0.0rc4, < 3.0.0"
 
 [tool.poetry.dev-dependencies]
 autopep8 = "^1.6.0"

pyproject.toml

@@ -16,7 +16,6 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
-
 import os
 from unittest import TestCase
 
@@ -33,13 +32,12 @@ def test_conda_list_json(self) -> None:
             conda_list_ouptut_fh.close()
 
         self.assertEqual(34, parser.component_count())
-        components = parser.get_components()
-
-        c_noarch = [x for x in components if x.name == 'idna'][0]
+        c_noarch = next(filter(lambda c: c.name == 'idna', parser.get_components()), parser.get_components)
+        self.assertIsNotNone(c_noarch)
         self.assertEqual('idna', c_noarch.name)
         self.assertEqual('2.10', c_noarch.version)
         self.assertEqual(1, len(c_noarch.external_references))
-        self.assertEqual(0, len(c_noarch.external_references[0].get_hashes()))
+        self.assertEqual(0, len(c_noarch.external_references.pop().hashes))
 
     def test_conda_list_explicit_md5(self) -> None:
         conda_list_ouptut_file = os.path.join(os.path.dirname(__file__), 'fixtures/conda-list-explicit-md5.txt')
@@ -49,10 +47,9 @@ def test_conda_list_explicit_md5(self) -> None:
             conda_list_ouptut_fh.close()
 
         self.assertEqual(34, parser.component_count())
-        components = parser.get_components()
-
-        c_noarch = [x for x in components if x.name == 'idna'][0]
+        c_noarch = next(filter(lambda c: c.name == 'idna', parser.get_components()), parser.get_components)
+        self.assertIsNotNone(c_noarch)
         self.assertEqual('idna', c_noarch.name)
         self.assertEqual('2.10', c_noarch.version)
         self.assertEqual(1, len(c_noarch.external_references))
-        self.assertEqual(0, len(c_noarch.external_references[0].get_hashes()))
+        self.assertEqual(0, len(c_noarch.external_references.pop().hashes))

tests/test_parser_conda.py

@@ -16,11 +16,8 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
-
 from unittest import TestCase
 
-from cyclonedx.model.component import Component
-
 from cyclonedx_py.parser.environment import EnvironmentParser
 
 
@@ -37,6 +34,7 @@ def test_simple(self) -> None:
         self.assertGreater(parser.component_count(), 1)
 
         # We can only be sure that tox is in the environment, for example as we use tox to run tests
-        c_tox: Component = [x for x in parser.get_components() if x.name == 'tox'][0]
+        c_tox = next(filter(lambda c: c.name == 'tox', parser.get_components()), parser.get_components)
+        self.assertIsNotNone(c_tox)
         self.assertIsNotNone(c_tox.licenses)
-        self.assertEqual('MIT', c_tox.licenses[0].expression)
+        self.assertEqual('MIT', c_tox.licenses.pop().expression)