From e492b844d9cadeae0bf399f7c872fbd25ff0d314 Mon Sep 17 00:00:00 2001 From: Peter Schuster Date: Mon, 23 Mar 2026 15:07:52 +0100 Subject: [PATCH 01/21] chore: extract glob for pyupgrade to separate script for cross-platform compatibility (#950) Currently pyupgrade cannot be run on Windows due to 'sh' in tox.ini not working in PowerShell. Adding a separate script for this might be controversial. \ I could not find another solution that is platform independent, except from inline python in tox.ini which got "complicated" due to `{posargs}`. However, if anyone has a better idea, this could be reworked. ### AI Tool Disclosure - [X] My contribution includes AI-generated content, as disclosed below: - The contents of the new script is based on suggestions from Claude Sonnet 4.6 ### Affirmation - [X] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CONTRIBUTING.md) guidelines --------- Signed-off-by: Peter Schuster Signed-off-by: Jan Kowalleck Co-authored-by: Jan Kowalleck --- tools/run_pyupgrade.py | 54 ++++++++++++++++++++++++++++++++++++++++++ tox.ini | 6 ++--- 2 files changed, 56 insertions(+), 4 deletions(-) create mode 100755 tools/run_pyupgrade.py diff --git a/tools/run_pyupgrade.py b/tools/run_pyupgrade.py new file mode 100755 index 000000000..e040c5071 --- /dev/null +++ b/tools/run_pyupgrade.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 + +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +import subprocess # nosec - subprocess is used to run pyupgrade and not part of published library +import sys +from pathlib import Path + +HELP = f""" +Wrapper around pyupgrade to perform a lookup of all *.py/*.pyi files in passed directories +and pass them to pyupgrade in a single invocation. + +Usage: {sys.argv[0]} [pyupgrade-args ...] -- +""" + +if '--' not in sys.argv: + print(HELP, file=sys.stderr) + sys.exit(1) + +sep = sys.argv.index('--') +pyupgrade_args = sys.argv[1:sep] +directories = sys.argv[sep + 1:] + +if not directories: + print('Error: at least one directory must be specified after --', '\n', HELP, file=sys.stderr) + sys.exit(2) + +files = sorted({ + str(file) + for directory in directories + for pattern in ['*.py', '*.pyi'] + for file in Path(directory).rglob(pattern) +}) + +result = subprocess.run( # nosec - shell=False is used to prevent injection, all arg passed as a list + [sys.executable, '-m', 'pyupgrade', *pyupgrade_args, *files], + shell=False # w/o shell all args are passed directly to the process without the need for quotes or escaping +) +sys.exit(result.returncode) diff --git a/tox.ini b/tox.ini index af228b75a..8afcf3aa0 100644 --- a/tox.ini +++ b/tox.ini @@ -52,10 +52,8 @@ commands = poetry run deptry -v . [testenv:pyupgrade] -allowlist_externals = poetry, sh -commands = sh -c "\ - find cyclonedx typings tests tools examples -type f \( -name '*.py' -or -name '*.pyi' \) -print0 \ - | xargs -0 poetry run pyupgrade --py39-plus {posargs} " +# first -- stops command parsing by poetry run, the second -- splits pyupgrade args from args for glob patterns +commands = poetry run -- python tools/run_pyupgrade.py --py39-plus {posargs} -- cyclonedx typings tests tools examples [testenv:isort] commands = poetry run isort . From 752b1620a23e319add81c505fe7197a2ae3cca06 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 24 Mar 2026 12:27:47 +0100 Subject: [PATCH 02/21] docs: update CDX summary (#951) A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context. Signed-off-by: Jan Kowalleck --- README.md | 4 ++-- docs/index.rst | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 2017b51b3..31f088eee 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,8 @@ ---- -OWASP [CycloneDX][link_website] is a full-stack Bill of Materials (BOM) standard -that provides advanced supply chain capabilities for cyber risk reduction. +OWASP [CycloneDX][link_website] is a full‑stack Bill of Materials (BOM) and system‑transparency standard +that provides deep visibility into software, services, hardware, and AI components, enabling advanced supply‑chain security and cyber‑risk reduction. This Python package provides data models, validators and more, to help you create/render/read CycloneDX documents. diff --git a/docs/index.rst b/docs/index.rst index 729103101..74632d755 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -13,10 +13,10 @@ # SPDX-License-Identifier: Apache-2.0 CycloneDX’s Python Library documentation -==================================================== +======================================== -OWASP `CycloneDX`_ is a full-stack Bill of Materials (BOM) standard -that provides advanced supply chain capabilities for cyber risk reduction. +OWASP `CycloneDX`_ is a full‑stack Bill of Materials (BOM) and system‑transparency standard +that provides deep visibility into software, services, hardware, and AI components, enabling advanced supply‑chain security and cyber‑risk reduction. This Python package provides data models, validators and more, to help you create/render/read CycloneDX documents. From b8b8720e84edfb81dd55956891d7815e1d81689c Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 7 Apr 2026 12:34:47 +0200 Subject: [PATCH 03/21] chore: fix test coverage reporting (#956) ### Description fix coverage reporting failing runs: - timeout https://github.com/CycloneDX/cyclonedx-python-lib/actions/runs/24053559593/job/70220791872#step:3:350 - unresolvable target: https://github.com/CycloneDX/cyclonedx-python-lib/actions/runs/24052662937/job/70152194867#step:3:422 ### AI Tool Disclosure - [x] My contribution does not include any AI-generated content - [ ] My contribution includes AI-generated content, as disclosed below: - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.]` - LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.]` - Prompts: `[Summarize the key prompts or instructions given to the AI tools]` ### Affirmation - [x] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CONTRIBUTING.md) guidelines Signed-off-by: Jan Kowalleck --- .github/workflows/python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 40dfc86d9..db50276fa 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -236,7 +236,7 @@ jobs: name: Publish test coverage needs: [ "build-and-test" ] runs-on: ubuntu-latest - timeout-minutes: 5 + timeout-minutes: 10 steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact From d04d0438ad1bf82214058a927a769daa5613ff6b Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 8 Apr 2026 09:34:27 +0200 Subject: [PATCH 04/21] Update CONTRIBUTING.md Signed-off-by: Jan Kowalleck --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ffa914d2f..cee8f2557 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -67,7 +67,7 @@ Please sign off your commits, to show that you agree to publish your changes und , and to indicate agreement with [Developer Certificate of Origin (DCO)](https://developercertificate.org/). ```shell -git commit --signoff ... +git commit -s ... ``` ## Pre-commit hooks From 204dfddbec84d863f50ca660b6200ec4e1290c16 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Apr 2026 11:34:24 +0200 Subject: [PATCH 05/21] chore(deps-dev): update tomli requirement from 2.3.0 to 2.4.1 (#954) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 52b5dfdc6..75521da5f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -98,7 +98,7 @@ pep8-naming = "0.15.1" isort = "6.1.0" autopep8 = "2.3.2" mypy = "1.19.1" -tomli = { version = "2.3.0", python = "<3.11" } +tomli = { version = "2.4.1", python = "<3.11" } tox = "4.30.3" xmldiff = "2.7.0" bandit = "1.8.6" From 7209c314382d09fec5bc1ca6323fb5ebbe14494d Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 15 Apr 2026 13:55:37 +0200 Subject: [PATCH 06/21] chore(release): use own GH app for releasing (#958) Signed-off-by: Jan Kowalleck Co-authored-by: semantic-release Co-authored-by: cyclonedx-internal-release-bot[bot] <275040549+cyclonedx-internal-release-bot[bot]@users.noreply.github.com> Co-authored-by: cyclonedx-releases[bot] <275040549+cyclonedx-releases[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 23 +++++++++++++++++++++-- pyproject.toml | 3 +-- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eb99f16a7..1b2780b4d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -103,11 +103,28 @@ jobs: id-token: write contents: write steps: + - name: Generate GitHub App Token + id: release-bot-token + # see https://github.com/actions/create-github-app-token + uses: actions/create-github-app-token@v3 + with: + # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases + app-id: 3335294 + private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }} + - name: Get GitHub App User ID + id: release-bot-user-id + run: | + set -xeu + echo "user-id=$(gh api "/users/${{ steps.release-bot-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ steps.release-bot-token.outputs.token }} + - name: Checkout code # see https://github.com/actions/checkout uses: actions/checkout@v6 with: fetch-depth: 0 + token: ${{ steps.release-bot-token.outputs.token }} - name: Setup python # see https://github.com/actions/setup-python @@ -134,7 +151,9 @@ jobs: # see https://github.com/python-semantic-release/python-semantic-release uses: python-semantic-release/python-semantic-release@v10.0.2 with: - github_token: ${{ secrets.GITHUB_TOKEN }} + git_committer_name: ${{ steps.release-bot-token.outputs.app-slug }}[bot] + git_committer_email: ${{ steps.release-bot-user-id.outputs.user-id }}+${{ steps.release-bot-token.outputs.app-slug }}[bot]@users.noreply.github.com + github_token: ${{ steps.release-bot-token.outputs.token }} force: ${{ github.event.inputs.release_force }} prerelease: ${{ github.event.inputs.prerelease }} prerelease_token: ${{ github.event.inputs.prerelease_token }} @@ -151,5 +170,5 @@ jobs: # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action uses: python-semantic-release/publish-action@v10 with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.release-bot-token.outputs.token }} tag: ${{ steps.release.outputs.tag }} diff --git a/pyproject.toml b/pyproject.toml index 75521da5f..532b1e6cf 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -115,8 +115,7 @@ jsonschema = { version = "*", extras = ["format"], optional=true } logging_use_named_masks = true commit_parser = "conventional" commit_parser_options = { parse_squash_commits = true, ignore_merge_commits = true } -commit_author = "semantic-release " -commit_message = "chore(release): {version}\n\nAutomatically generated by python-semantic-release\n\nSigned-off-by: semantic-release " +commit_message = "chore(release): {version}\n\nAutomatically generated by python-semantic-release" upload_to_vcs_release = true build_command = """ pip install poetry From 4ef5bc3eddb7a9f86763bd50bd3a9dc69c7d31fa Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Wed, 15 Apr 2026 14:22:21 +0200 Subject: [PATCH 07/21] chore(ci): pin GitHub Actions to immutable SHAs while preserving tag tracking (#961) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> --- .github/workflows/python.yml | 48 +++++++++++++++++------------------ .github/workflows/release.yml | 24 +++++++++--------- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index db50276fa..46e29b82f 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -33,16 +33,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -57,16 +57,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -81,16 +81,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -105,16 +105,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -141,16 +141,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -191,12 +191,12 @@ jobs: git config --global core.eol lf - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} architecture: 'x64' @@ -207,7 +207,7 @@ jobs: print('Python %s on %s in %s' % (sys.version, sys.platform, sys.getdefaultencoding())) - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -226,7 +226,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: ${{ env.TESTS_REPORTS_ARTIFACT }}-${{ matrix.os }}-py${{ matrix.python-version }}${{ matrix.toxenv-factors }} path: ${{ env.REPORTS_DIR }} @@ -240,7 +240,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: path: ${{ env.REPORTS_DIR }} pattern: ${{ env.TESTS_REPORTS_ARTIFACT }}-* @@ -250,7 +250,7 @@ jobs: CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} if: ${{ env.CODACY_PROJECT_TOKEN != '' }} ## see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets # see https://github.com/codacy/codacy-coverage-reporter-action - uses: codacy/codacy-coverage-reporter-action@v1 + uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1 with: project-token: ${{ env.CODACY_PROJECT_TOKEN }} coverage-reports: ${{ env.REPORTS_DIR }}/coverage/* @@ -269,10 +269,10 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '>=3.9 <=3.14' # supported version range - name: Validate Python Environment @@ -282,7 +282,7 @@ jobs: print('Python %s on %s in %s' % (sys.version, sys.platform, sys.getdefaultencoding())) - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install package and prod dependencies diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1b2780b4d..6215ce44f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,16 +48,16 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -70,16 +70,16 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -121,20 +121,20 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 token: ${{ steps.release-bot-token.outputs.token }} - name: Setup python # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install and configure Poetry # See https://github.com/marketplace/actions/install-poetry-action - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1 with: version: ${{ env.POETRY_VERSION }} virtualenvs-create: true @@ -149,7 +149,7 @@ jobs: id: release # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html # see https://github.com/python-semantic-release/python-semantic-release - uses: python-semantic-release/python-semantic-release@v10.0.2 + uses: python-semantic-release/python-semantic-release@1a324000f2251a9e722e77b128bf72712653813f # v10.0.2 with: git_committer_name: ${{ steps.release-bot-token.outputs.app-slug }}[bot] git_committer_email: ${{ steps.release-bot-user-id.outputs.user-id }}+${{ steps.release-bot-token.outputs.app-slug }}[bot]@users.noreply.github.com @@ -161,14 +161,14 @@ jobs: - name: Publish package distributions to PyPI if: steps.release.outputs.released == 'true' # see https://github.com/pypa/gh-action-pypi-publish - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: attestations: true - name: Publish package distributions to GitHub Releases if: steps.release.outputs.released == 'true' # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action - uses: python-semantic-release/publish-action@v10 + uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10 with: github_token: ${{ steps.release-bot-token.outputs.token }} tag: ${{ steps.release.outputs.tag }} From 52c29afe0e17339daf77fc107f21072d4bf52425 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Mon, 4 May 2026 14:40:30 +0200 Subject: [PATCH 08/21] chore: add zizmor workflow to harden GitHub Actions security (#968) Signed-off-by: Jan Kowalleck Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> Co-authored-by: Jan Kowalleck Co-authored-by: cyclonedx-releases[bot] <275040549+cyclonedx-releases[bot]@users.noreply.github.com> --- .github/dependabot.yml | 4 ++++ .github/workflows/python.yml | 14 +++++++++++ .github/workflows/release.yml | 16 +++++++++---- .github/workflows/zizmor.yml | 45 +++++++++++++++++++++++++++++++++++ .pre-commit-config.yaml | 4 ++++ pyproject.toml | 10 ++++---- 6 files changed, 83 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 423d4b3f6..e91d61095 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,6 +7,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 allow: - dependency-type: 'all' versioning-strategy: 'auto' @@ -21,6 +23,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: ## prefix maximum string length of 15 diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 46e29b82f..c32a4c52f 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -34,6 +34,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -58,6 +60,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -82,6 +86,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -106,6 +112,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -142,6 +150,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -192,6 +202,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment @@ -270,6 +282,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6215ce44f..9fc60639a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -49,6 +49,8 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -71,6 +73,8 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -106,18 +110,19 @@ jobs: - name: Generate GitHub App Token id: release-bot-token # see https://github.com/actions/create-github-app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 with: # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases - app-id: 3335294 + client-id: 3335294 private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }} + # for `permission-*` see `permissions` above + permission-contents: write - name: Get GitHub App User ID id: release-bot-user-id - run: | - set -xeu - echo "user-id=$(gh api "/users/${{ steps.release-bot-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" env: + APP_SLUG: ${{ steps.release-bot-token.outputs.app-slug }} GH_TOKEN: ${{ steps.release-bot-token.outputs.token }} + run: echo "user-id=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" - name: Checkout code # see https://github.com/actions/checkout @@ -125,6 +130,7 @@ jobs: with: fetch-depth: 0 token: ${{ steps.release-bot-token.outputs.token }} + persist-credentials: false - name: Setup python # see https://github.com/actions/setup-python diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..325898889 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,45 @@ +# Analyzes all GitHub Actions workflows for security issues using zizmor. +# docs: https://docs.zizmor.sh/ +name: Workflow Security Analysis (zizmor) + +on: + pull_request: + paths: + - ".github/workflows/**" + push: + paths: + - ".github/workflows/**" + schedule: + # Every Saturday at 00:00 UTC + - cron: "0 0 * * 6" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout + # see https://github.com/actions/checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - name: Run zizmor + # see https://github.com/zizmorcore/zizmor-action + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than + # uploading a SARIF report to GitHub's Security tab. + # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS), + # both of which are unnecessary here and would violate the least-privilege policy. + # The two modes are mutually exclusive: advanced-security must be false for + # annotations to take effect. + advanced-security: false + annotations: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 44a9bcc11..a6573d028 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,3 +42,7 @@ repos: entry: poetry run -- tox r -e bandit pass_filenames: false language: system + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor diff --git a/pyproject.toml b/pyproject.toml index 532b1e6cf..13862476d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -146,15 +146,15 @@ exclude_commit_patterns = [ match = "(main|master)" prerelease = false -[tool.semantic_release.branches."step"] -match = "(build|chore|ci|docs|feat|fix|perf|style|refactor|tests?)" -prerelease = true -prerelease_token = "alpha" - [tool.semantic_release.branches."major-dev"] match = "(\\d+\\.0\\.0-(dev|rc)|dev/\\d+\\.0\\.0)" prerelease = true prerelease_token = "rc" +[tool.semantic_release.branches.fallback] +match = ".*" +prerelease = true +prerelease_token = "alpha" + [tool.deptry] extend_exclude = ["docs", "examples", "package_aliases", "tools"] From 1a6dfb047631085d2acddc38afbe41413a4f9420 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 6 May 2026 19:23:05 +0200 Subject: [PATCH 09/21] Update PULL_REQUEST_TEMPLATE.md (#974) Signed-off-by: Jan Kowalleck --- .github/PULL_REQUEST_TEMPLATE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index e19c5da37..51bc6246f 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -24,7 +24,7 @@ provide the required disclosure, your PR will not be merged. A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context. -Resolves or fixes issue: +Resolves or fixes issue: ### AI Tool Disclosure From 0daf3f99c171d64634443cfecea12eb10c84fde9 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 6 May 2026 20:56:48 +0200 Subject: [PATCH 10/21] chore: Update CONTRIBUTING.md (#975) Signed-off-by: Jan Kowalleck --- CONTRIBUTING.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index cee8f2557..39b65018d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -9,6 +9,16 @@ Find the needed basics here: * [how to fork a repository](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo) * [how create a pull request from a fork](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork) + +## Pullrequests + +When opening a pull request, use the repository’s pull request template and complete all required fields. +Keep each pull request focused on a single topic or problem. + +Every pull request must reference an existing issue that it aims to address. +If no issue exists for your topic, please create one first using the appropriate issue template, then link your pull request to it. + + ## Setup This project uses [poetry]. Have it installed and setup first. From 392ba604f2510bdfaab5020f8cd7c54f8140dd6a Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 3 Jun 2026 15:56:07 +0200 Subject: [PATCH 11/21] chore(ci): comments for pinned actions (#984) Signed-off-by: Jan Kowalleck --- .github/workflows/python.yml | 62 +++++++++++++++++------------------ .github/workflows/release.yml | 32 +++++++++--------- .github/workflows/zizmor.yml | 31 +++++++++--------- 3 files changed, 62 insertions(+), 63 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index c32a4c52f..492a9f2c9 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -33,18 +33,18 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -59,18 +59,18 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -85,18 +85,18 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -111,18 +111,18 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -149,18 +149,18 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -201,14 +201,14 @@ jobs: git config --global core.eol lf - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} architecture: 'x64' @@ -218,8 +218,8 @@ jobs: import sys print('Python %s on %s in %s' % (sys.version, sys.platform, sys.getdefaultencoding())) - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -238,7 +238,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.TESTS_REPORTS_ARTIFACT }}-${{ matrix.os }}-py${{ matrix.python-version }}${{ matrix.toxenv-factors }} path: ${{ env.REPORTS_DIR }} @@ -252,7 +252,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: path: ${{ env.REPORTS_DIR }} pattern: ${{ env.TESTS_REPORTS_ARTIFACT }}-* @@ -262,7 +262,7 @@ jobs: CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} if: ${{ env.CODACY_PROJECT_TOKEN != '' }} ## see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets # see https://github.com/codacy/codacy-coverage-reporter-action - uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1 + uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0 with: project-token: ${{ env.CODACY_PROJECT_TOKEN }} coverage-reports: ${{ env.REPORTS_DIR }}/coverage/* @@ -281,12 +281,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '>=3.9 <=3.14' # supported version range - name: Validate Python Environment @@ -295,8 +295,8 @@ jobs: import sys print('Python %s on %s in %s' % (sys.version, sys.platform, sys.getdefaultencoding())) - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install package and prod dependencies diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9fc60639a..9736fc593 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,18 +48,18 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -72,18 +72,18 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -110,7 +110,7 @@ jobs: - name: Generate GitHub App Token id: release-bot-token # see https://github.com/actions/create-github-app-token - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases client-id: 3335294 @@ -126,7 +126,7 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 token: ${{ steps.release-bot-token.outputs.token }} @@ -134,13 +134,13 @@ jobs: - name: Setup python # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install and configure Poetry - # See https://github.com/marketplace/actions/install-poetry-action - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1 + # Seehttps://github.com/snok/install-poetry + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: ${{ env.POETRY_VERSION }} virtualenvs-create: true @@ -155,7 +155,7 @@ jobs: id: release # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html # see https://github.com/python-semantic-release/python-semantic-release - uses: python-semantic-release/python-semantic-release@1a324000f2251a9e722e77b128bf72712653813f # v10.0.2 + uses: python-semantic-release/python-semantic-release@1a324000f2251a9e722e77b128bf72712653813f # v10.0.2 with: git_committer_name: ${{ steps.release-bot-token.outputs.app-slug }}[bot] git_committer_email: ${{ steps.release-bot-user-id.outputs.user-id }}+${{ steps.release-bot-token.outputs.app-slug }}[bot]@users.noreply.github.com @@ -167,14 +167,14 @@ jobs: - name: Publish package distributions to PyPI if: steps.release.outputs.released == 'true' # see https://github.com/pypa/gh-action-pypi-publish - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: attestations: true - name: Publish package distributions to GitHub Releases if: steps.release.outputs.released == 'true' # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action - uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10 + uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10.5.3 with: github_token: ${{ steps.release-bot-token.outputs.token }} tag: ${{ steps.release.outputs.tag }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 325898889..7439413c8 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -1,39 +1,38 @@ # Analyzes all GitHub Actions workflows for security issues using zizmor. # docs: https://docs.zizmor.sh/ -name: Workflow Security Analysis (zizmor) +name: Zizmor on: - pull_request: - paths: - - ".github/workflows/**" push: - paths: - - ".github/workflows/**" + branches: ['master', 'main'] + pull_request: + branches: ['**'] + workflow_dispatch: schedule: - # Every Saturday at 00:00 UTC - - cron: "0 0 * * 6" + - cron: '0 0 * * 6' + +permissions: {} concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: '${{ github.workflow }}-${{ github.ref }}' cancel-in-progress: true -permissions: - contents: read - jobs: zizmor: - name: zizmor + name: Zizmor runs-on: ubuntu-latest timeout-minutes: 10 + permissions: + contents: read steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - name: Run zizmor + - name: Run zizmor 🌈 # see https://github.com/zizmorcore/zizmor-action - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than # uploading a SARIF report to GitHub's Security tab. From 303889ba2b47033ae693c1af8bff552664e1910c Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 4 Jun 2026 11:05:33 +0200 Subject: [PATCH 12/21] feat: add support CycloneDX 1.7.1 & 1.6.2 & 1.5.1 (#985) Signed-off-by: Jan Kowalleck --- cyclonedx/schema/_res/README.md | 2 +- cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd | 20 ++++++++++++---- .../schema/_res/bom-1.6.SNAPSHOT.schema.json | 6 ++--- cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd | 24 +++++++++++++------ .../schema/_res/bom-1.7.SNAPSHOT.schema.json | 12 +++++----- cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd | 24 +++++++++++++------ tools/schema-downloader.py | 2 +- 7 files changed, 60 insertions(+), 30 deletions(-) diff --git a/cyclonedx/schema/_res/README.md b/cyclonedx/schema/_res/README.md index 207414b9e..83fc1dd95 100644 --- a/cyclonedx/schema/_res/README.md +++ b/cyclonedx/schema/_res/README.md @@ -4,7 +4,7 @@ some schema for offline use as downloaded via [script](../../../tools/schema-dow original sources: Currently using version -[4b3f59453366e27c8073fd24e98bf21ef8892c8e](https://github.com/CycloneDX/specification/commit/4b3f59453366e27c8073fd24e98bf21ef8892c8e) +[b29bae660048e0ad2fbc5f2972927b442ce951c4](https://github.com/CycloneDX/specification/commit/b29bae660048e0ad2fbc5f2972927b442ce951c4) | file | note | |------|------| diff --git a/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd b/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd index 022c09072..7c9577dad 100644 --- a/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd +++ b/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd @@ -22,7 +22,7 @@ limitations under the License. targetNamespace="http://cyclonedx.org/schema/bom/1.5" vc:minVersion="1.0" vc:maxVersion="1.1" - version="1.5.0"> + version="1.5.1"> @@ -2885,7 +2885,7 @@ limitations under the License. - + @@ -2897,7 +2897,7 @@ limitations under the License. - + @@ -2911,7 +2911,7 @@ limitations under the License. - + @@ -2923,7 +2923,7 @@ limitations under the License. - + @@ -3008,6 +3008,16 @@ limitations under the License. + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + diff --git a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json index 981961dd6..1958b2245 100644 --- a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json +++ b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json @@ -536,7 +536,7 @@ "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "type": "string", "minLength": 1, - "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" + "$comment": "TODO (breaking change): add a format constraint that prevents the value from starting with 'urn:cdx:'" }, "refLinkType": { "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", @@ -1161,7 +1161,7 @@ "contentType": { "type": "string", "title": "Content-Type", - "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).", + "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plain text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).", "default": "text/plain", "examples": [ "text/plain", @@ -2681,7 +2681,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings", + "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd index 427f3c4f0..c3a7f46f0 100644 --- a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd +++ b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd @@ -22,7 +22,7 @@ limitations under the License. targetNamespace="http://cyclonedx.org/schema/bom/1.6" vc:minVersion="1.0" vc:maxVersion="1.1" - version="1.6.1"> + version="1.6.2"> @@ -973,7 +973,7 @@ limitations under the License. Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` - for JSON data and `text/plain` for plan text documents. + for JSON data and `text/plain` for plain text documents. RFC 2045 section 5.1 outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the IANA media types registry at https://www.iana.org/assignments/media-types/media-types.xhtml. @@ -3256,7 +3256,7 @@ limitations under the License. - + @@ -3268,7 +3268,7 @@ limitations under the License. - + @@ -3282,7 +3282,7 @@ limitations under the License. - + @@ -3294,7 +3294,7 @@ limitations under the License. - + @@ -3386,6 +3386,16 @@ limitations under the License. + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + @@ -4218,7 +4228,7 @@ limitations under the License. - List of vulnerability ratings. + List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization. diff --git a/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json index c0ed5071d..ad7e54ac2 100644 --- a/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json +++ b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json @@ -555,7 +555,7 @@ "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "type": "string", "minLength": 1, - "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" + "$comment": "TODO (breaking change): add a format constraint that prevents the value from starting with 'urn:cdx:'" }, "refLinkType": { "title": "BOM Reference", @@ -981,7 +981,7 @@ "versionRange": { "$ref": "#/definitions/versionRange", "title": "Component Version Range", - "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", + "description": "A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", "items": {"$ref": "#/definitions/patch"} }, "notes": { @@ -1248,7 +1248,7 @@ "contentType": { "type": "string", "title": "Content-Type", - "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).", + "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plain text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).", "default": "text/plain", "examples": [ "text/plain", @@ -2841,7 +2841,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings", + "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd index 40aa7ad93..7318f6ef6 100644 --- a/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd +++ b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd @@ -22,7 +22,7 @@ limitations under the License. targetNamespace="http://cyclonedx.org/schema/bom/1.7" vc:minVersion="1.0" vc:maxVersion="1.1" - version="1.7.0"> + version="1.7.1"> @@ -1204,7 +1204,7 @@ limitations under the License. Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` - for JSON data and `text/plain` for plan text documents. + for JSON data and `text/plain` for plain text documents. RFC 2045 section 5.1 outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the IANA media types registry at https://www.iana.org/assignments/media-types/media-types.xhtml. @@ -3499,7 +3499,7 @@ limitations under the License. - + @@ -3511,7 +3511,7 @@ limitations under the License. - + @@ -3525,7 +3525,7 @@ limitations under the License. - + @@ -3537,7 +3537,7 @@ limitations under the License. - + @@ -3629,6 +3629,16 @@ limitations under the License. + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + @@ -4461,7 +4471,7 @@ limitations under the License. - List of vulnerability ratings. + List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization. diff --git a/tools/schema-downloader.py b/tools/schema-downloader.py index 30b7ecd54..b852a1eb9 100755 --- a/tools/schema-downloader.py +++ b/tools/schema-downloader.py @@ -21,7 +21,7 @@ from os.path import dirname, join, realpath from urllib.request import urlretrieve -SOURCE_ROOT = 'https://raw.githubusercontent.com/CycloneDX/specification/refs/tags/1.7/schema/' +SOURCE_ROOT = 'https://raw.githubusercontent.com/CycloneDX/specification/refs/tags/1.7.1/schema/' SOURCE_ROOT_LATEST = 'https://raw.githubusercontent.com/CycloneDX/specification/refs/heads/master/schema/' TARGET_ROOT = realpath(join(dirname(__file__), '..', 'cyclonedx', 'schema', '_res')) From bc961efabd6a898f2d349ad97d2804d66b60e45c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 11:58:31 +0200 Subject: [PATCH 13/21] chore(deps): bump actions/create-github-app-token from 3.1.1 to 3.2.0 (#982) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9736fc593..0d3e77499 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -110,7 +110,7 @@ jobs: - name: Generate GitHub App Token id: release-bot-token # see https://github.com/actions/create-github-app-token - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases client-id: 3335294 From 051abcef774a606b93da55b8fed4aa4ae056a744 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 12:15:19 +0200 Subject: [PATCH 14/21] chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 (#964) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 492a9f2c9..f16e17354 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -252,7 +252,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ${{ env.REPORTS_DIR }} pattern: ${{ env.TESTS_REPORTS_ARTIFACT }}-* From 590402a0c963816a48902eba86d6be963ebf3ed0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 12:15:30 +0200 Subject: [PATCH 15/21] chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.1 (#963) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index f16e17354..ea1f00354 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -238,7 +238,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ env.TESTS_REPORTS_ARTIFACT }}-${{ matrix.os }}-py${{ matrix.python-version }}${{ matrix.toxenv-factors }} path: ${{ env.REPORTS_DIR }} From 42ff04444fa054d86da2302bc62e1bffd3b397df Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 4 Jun 2026 12:16:14 +0200 Subject: [PATCH 16/21] feat: pull SPDX license IDs v1.1-3.28.0 (#986) Signed-off-by: Jan Kowalleck --- .../cryptography-defs.SNAPSHOT.schema.json | 22 +- .../schema/_res/spdx.SNAPSHOT.schema.json | 850 +++++++++++++++++- cyclonedx/schema/_res/spdx.SNAPSHOT.xsd | 167 +++- 3 files changed, 1033 insertions(+), 6 deletions(-) diff --git a/cyclonedx/schema/_res/cryptography-defs.SNAPSHOT.schema.json b/cyclonedx/schema/_res/cryptography-defs.SNAPSHOT.schema.json index 1f06fdff5..e17815057 100644 --- a/cyclonedx/schema/_res/cryptography-defs.SNAPSHOT.schema.json +++ b/cyclonedx/schema/_res/cryptography-defs.SNAPSHOT.schema.json @@ -1,7 +1,7 @@ { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "http://cyclonedx.org/schema/cryptography-defs.schema.json", - "$comment": "2025-09-07T11:12:52Z", + "$comment": "2026-03-05T14:27:50Z", "title": "Cryptographic Algorithm Family Definitions", "description": "Enumerates cryptographic algorithm families and their specific metadata.", "type": "object", @@ -248,6 +248,7 @@ "A5/2", "AES", "ARIA", + "Argon2", "Ascon", "BLAKE2", "BLAKE3", @@ -258,6 +259,7 @@ "CAST6", "CMAC", "CMEA", + "CTR_DRBG", "ChaCha", "ChaCha20", "DES", @@ -273,9 +275,12 @@ "HC", "HKDF", "HMAC", + "HMAC_DRBG", + "HPKE", + "Hash_DRBG", "IDEA", "IKE-PRF", - "KMAC", + "J-PAKE", "LMS", "MD2", "MD4", @@ -284,6 +289,7 @@ "ML-DSA", "ML-KEM", "MQV", + "OPAQUE", "PBES1", "PBES2", "PBKDF1", @@ -305,20 +311,30 @@ "SHA-2", "SHA-3", "SLH-DSA", + "SM2", + "SM3", + "SM4", + "SM9", "SNOW3G", "SP800-108", + "SPAKE2", + "SPAKE2PLUS", + "SRP", "Salsa20", "Serpent", "SipHash", "Skipjack", "TUAK", "Twofish", + "UMAC", "Whirlpool", "X3DH", "XMSS", "Yarrow", "ZUC", - "bcrypt" + "bcrypt", + "scrypt", + "yescrypt" ] }, "ellipticCurvesEnum": { diff --git a/cyclonedx/schema/_res/spdx.SNAPSHOT.schema.json b/cyclonedx/schema/_res/spdx.SNAPSHOT.schema.json index 1e49a6d9e..2dccc87e3 100644 --- a/cyclonedx/schema/_res/spdx.SNAPSHOT.schema.json +++ b/cyclonedx/schema/_res/spdx.SNAPSHOT.schema.json @@ -1,7 +1,7 @@ { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "http://cyclonedx.org/schema/spdx.schema.json", - "$comment": "v1.0-3.27.0", + "$comment": "v1.1-3.28.0", "type": "string", "enum": [ "0BSD", @@ -14,6 +14,7 @@ "Adobe-Glyph", "Adobe-Utopia", "ADSL", + "Advanced-Cryptics-Dictionary", "AFL-1.1", "AFL-1.2", "AFL-2.0", @@ -27,6 +28,7 @@ "AGPL-3.0-only", "AGPL-3.0-or-later", "Aladdin", + "ALGLIB-Documentation", "AMD-newlib", "AMDPLPA", "AML", @@ -68,6 +70,7 @@ "BlueOak-1.0.0", "Boehm-GC", "Boehm-GC-without-fee", + "BOLA-1.1", "Borceux", "Brian-Gladman-2-Clause", "Brian-Gladman-3-Clause", @@ -94,6 +97,7 @@ "BSD-3-Clause-No-Nuclear-Warranty", "BSD-3-Clause-Open-MPI", "BSD-3-Clause-Sun", + "BSD-3-Clause-Tso", "BSD-4-Clause", "BSD-4-Clause-Shortened", "BSD-4-Clause-UC", @@ -102,12 +106,14 @@ "BSD-Advertising-Acknowledgement", "BSD-Attribution-HPND-disclaimer", "BSD-Inferno-Nettverk", + "BSD-Mark-Modifications", "BSD-Protection", "BSD-Source-beginning-file", "BSD-Source-Code", "BSD-Systemics", "BSD-Systemics-W3Works", "BSL-1.0", + "Buddy", "BUSL-1.1", "bzip2-1.0.5", "bzip2-1.0.6", @@ -116,6 +122,7 @@ "CAL-1.0-Combined-Work-Exception", "Caldera", "Caldera-no-preamble", + "CAPEC-tou", "Catharon", "CATOSL-1.1", "CC-BY-1.0", @@ -245,6 +252,9 @@ "EPL-1.0", "EPL-2.0", "ErlPL-1.1", + "ESA-PL-permissive-2.4", + "ESA-PL-strong-copyleft-2.4", + "ESA-PL-weak-copyleft-2.4", "etalab-2.0", "EUDatagrid", "EUPL-1.0", @@ -350,11 +360,14 @@ "HPND-sell-MIT-disclaimer-xserver", "HPND-sell-regexpr", "HPND-sell-variant", + "HPND-sell-variant-critical-systems", "HPND-sell-variant-MIT-disclaimer", "HPND-sell-variant-MIT-disclaimer-rev", + "HPND-SMC", "HPND-UC", "HPND-UC-export-US", "HTMLTIDY", + "hyphen-bulgarian", "IBM-pibs", "ICU", "IEC-Code-Components-EULA", @@ -373,6 +386,7 @@ "IPL-1.0", "ISC", "ISC-Veillard", + "ISO-permission", "Jam", "JasPer-2.0", "jove", @@ -450,10 +464,12 @@ "MIT-Khronos-old", "MIT-Modern-Variant", "MIT-open-group", + "MIT-STK", "MIT-testregex", "MIT-Wu", "MITNFA", "MMIXware", + "MMPL-1.0.1", "Motosoto", "MPEG-SSG", "mpi-permissive", @@ -487,6 +503,7 @@ "NICTA-1.0", "NIST-PD", "NIST-PD-fallback", + "NIST-PD-TNT", "NIST-Software", "NLOD-1.0", "NLOD-2.0", @@ -540,6 +557,7 @@ "OLDAP-2.8", "OLFL-1.3", "OML", + "OpenMDW-1.0", "OpenPBS-2.3", "OpenSSL", "OpenSSL-standalone", @@ -547,13 +565,16 @@ "OPL-1.0", "OPL-UK-3.0", "OPUBL-1.0", + "OSC-1.0", "OSET-PL-2.1", "OSL-1.0", "OSL-1.1", "OSL-2.0", "OSL-2.1", "OSL-3.0", + "OSSP", "PADL", + "ParaType-Free-Font-1.3", "Parity-6.0.0", "Parity-7.0.0", "PDDL-1.0", @@ -598,6 +619,7 @@ "SGI-B-1.1", "SGI-B-2.0", "SGI-OpenGL", + "SGMLUG-PM", "SGP4", "SHL-0.5", "SHL-0.51", @@ -635,6 +657,7 @@ "TAPR-OHL-1.0", "TCL", "TCP-wrappers", + "TekHVC", "TermReadKey", "TGPPL-1.0", "ThirdEye", @@ -662,9 +685,11 @@ "Unlicense", "Unlicense-libtelnet", "Unlicense-libwhirlpool", + "UnRAR", "UPL-1.0", "URT-RLE", "Vim", + "Vixie-Cron", "VOSTROM", "VSL-1.0", "W3C", @@ -673,12 +698,15 @@ "w3m", "Watcom-1.0", "Widget-Workshop", + "WordNet", "Wsuipa", + "WTFNMFPL", "WTFPL", "wwl", "wxWindows", "X11", "X11-distribute-modifications-variant", + "X11-no-permit-persons", "X11-swapped", "Xdebug-1.03", "Xerox", @@ -716,6 +744,7 @@ "Bootloader-exception", "CGAL-linking-exception", "Classpath-exception-2.0", + "Classpath-exception-2.0-short", "CLISP-exception-2.0", "cryptsetup-OpenSSL-exception", "Digia-Qt-LGPL-exception-1.1", @@ -746,6 +775,7 @@ "i2p-gpl-java-exception", "Independent-modules-exception", "KiCad-libraries-exception", + "kvirc-openssl-exception", "LGPL-3.0-linking-exception", "libpri-OpenH323-exception", "Libtool-exception", @@ -769,9 +799,12 @@ "Qwt-exception-1.0", "romic-exception", "RRDtool-FLOSS-exception-2.0", + "rsync-linking-exception", "SANE-exception", "SHL-2.0", "SHL-2.1", + "Simple-Library-Usage-exception", + "sqlitestudio-OpenSSL-exception", "stunnel-exception", "SWI-exception", "Swift-exception", @@ -782,5 +815,818 @@ "vsftpd-openssl-exception", "WxWindows-exception-3.1", "x11vnc-openssl-exception" - ] + ], + "meta:enum": { + "0BSD": "BSD Zero Clause License", + "3D-Slicer-1.0": "3D Slicer License v1.0", + "AAL": "Attribution Assurance License", + "Abstyles": "Abstyles License", + "AdaCore-doc": "AdaCore Doc License", + "Adobe-2006": "Adobe Systems Incorporated Source Code License Agreement", + "Adobe-Display-PostScript": "Adobe Display PostScript License", + "Adobe-Glyph": "Adobe Glyph List License", + "Adobe-Utopia": "Adobe Utopia Font License", + "ADSL": "Amazon Digital Services License", + "Advanced-Cryptics-Dictionary": "Advanced Cryptics Dictionary License", + "AFL-1.1": "Academic Free License v1.1", + "AFL-1.2": "Academic Free License v1.2", + "AFL-2.0": "Academic Free License v2.0", + "AFL-2.1": "Academic Free License v2.1", + "AFL-3.0": "Academic Free License v3.0", + "Afmparse": "Afmparse License", + "AGPL-1.0": "Affero General Public License v1.0", + "AGPL-1.0-only": "Affero General Public License v1.0 only", + "AGPL-1.0-or-later": "Affero General Public License v1.0 or later", + "AGPL-3.0": "GNU Affero General Public License v3.0", + "AGPL-3.0-only": "GNU Affero General Public License v3.0 only", + "AGPL-3.0-or-later": "GNU Affero General Public License v3.0 or later", + "Aladdin": "Aladdin Free Public License", + "ALGLIB-Documentation": "ALGLIB Documentation License", + "AMD-newlib": "AMD newlib License", + "AMDPLPA": "AMD's plpa_map.c License", + "AML": "Apple MIT License", + "AML-glslang": "AML glslang variant License", + "AMPAS": "Academy of Motion Picture Arts and Sciences BSD", + "ANTLR-PD": "ANTLR Software Rights Notice", + "ANTLR-PD-fallback": "ANTLR Software Rights Notice with license fallback", + "any-OSI": "Any OSI License", + "any-OSI-perl-modules": "Any OSI License - Perl Modules", + "Apache-1.0": "Apache License 1.0", + "Apache-1.1": "Apache License 1.1", + "Apache-2.0": "Apache License 2.0", + "APAFML": "Adobe Postscript AFM License", + "APL-1.0": "Adaptive Public License 1.0", + "App-s2p": "App::s2p License", + "APSL-1.0": "Apple Public Source License 1.0", + "APSL-1.1": "Apple Public Source License 1.1", + "APSL-1.2": "Apple Public Source License 1.2", + "APSL-2.0": "Apple Public Source License 2.0", + "Arphic-1999": "Arphic Public License", + "Artistic-1.0": "Artistic License 1.0", + "Artistic-1.0-cl8": "Artistic License 1.0 w\/clause 8", + "Artistic-1.0-Perl": "Artistic License 1.0 (Perl)", + "Artistic-2.0": "Artistic License 2.0", + "Artistic-dist": "Artistic License 1.0 (dist)", + "Aspell-RU": "Aspell Russian License", + "ASWF-Digital-Assets-1.0": "ASWF Digital Assets License version 1.0", + "ASWF-Digital-Assets-1.1": "ASWF Digital Assets License 1.1", + "Baekmuk": "Baekmuk License", + "Bahyph": "Bahyph License", + "Barr": "Barr License", + "bcrypt-Solar-Designer": "bcrypt Solar Designer License", + "Beerware": "Beerware License", + "Bitstream-Charter": "Bitstream Charter Font License", + "Bitstream-Vera": "Bitstream Vera Font License", + "BitTorrent-1.0": "BitTorrent Open Source License v1.0", + "BitTorrent-1.1": "BitTorrent Open Source License v1.1", + "blessing": "SQLite Blessing", + "BlueOak-1.0.0": "Blue Oak Model License 1.0.0", + "Boehm-GC": "Boehm-Demers-Weiser GC License", + "Boehm-GC-without-fee": "Boehm-Demers-Weiser GC License (without fee)", + "BOLA-1.1": "Buena Onda License Agreement v1.1", + "Borceux": "Borceux license", + "Brian-Gladman-2-Clause": "Brian Gladman 2-Clause License", + "Brian-Gladman-3-Clause": "Brian Gladman 3-Clause License", + "BSD-1-Clause": "BSD 1-Clause License", + "BSD-2-Clause": "BSD 2-Clause \"Simplified\" License", + "BSD-2-Clause-Darwin": "BSD 2-Clause - Ian Darwin variant", + "BSD-2-Clause-first-lines": "BSD 2-Clause - first lines requirement", + "BSD-2-Clause-FreeBSD": "BSD 2-Clause FreeBSD License", + "BSD-2-Clause-NetBSD": "BSD 2-Clause NetBSD License", + "BSD-2-Clause-Patent": "BSD-2-Clause Plus Patent License", + "BSD-2-Clause-pkgconf-disclaimer": "BSD 2-Clause pkgconf disclaimer variant", + "BSD-2-Clause-Views": "BSD 2-Clause with views sentence", + "BSD-3-Clause": "BSD 3-Clause \"New\" or \"Revised\" License", + "BSD-3-Clause-acpica": "BSD 3-Clause acpica variant", + "BSD-3-Clause-Attribution": "BSD with attribution", + "BSD-3-Clause-Clear": "BSD 3-Clause Clear License", + "BSD-3-Clause-flex": "BSD 3-Clause Flex variant", + "BSD-3-Clause-HP": "Hewlett-Packard BSD variant license", + "BSD-3-Clause-LBNL": "Lawrence Berkeley National Labs BSD variant license", + "BSD-3-Clause-Modification": "BSD 3-Clause Modification", + "BSD-3-Clause-No-Military-License": "BSD 3-Clause No Military License", + "BSD-3-Clause-No-Nuclear-License": "BSD 3-Clause No Nuclear License", + "BSD-3-Clause-No-Nuclear-License-2014": "BSD 3-Clause No Nuclear License 2014", + "BSD-3-Clause-No-Nuclear-Warranty": "BSD 3-Clause No Nuclear Warranty", + "BSD-3-Clause-Open-MPI": "BSD 3-Clause Open MPI variant", + "BSD-3-Clause-Sun": "BSD 3-Clause Sun Microsystems", + "BSD-3-Clause-Tso": "BSD 3-Clause Tso variant", + "BSD-4-Clause": "BSD 4-Clause \"Original\" or \"Old\" License", + "BSD-4-Clause-Shortened": "BSD 4 Clause Shortened", + "BSD-4-Clause-UC": "BSD-4-Clause (University of California-Specific)", + "BSD-4.3RENO": "BSD 4.3 RENO License", + "BSD-4.3TAHOE": "BSD 4.3 TAHOE License", + "BSD-Advertising-Acknowledgement": "BSD Advertising Acknowledgement License", + "BSD-Attribution-HPND-disclaimer": "BSD with Attribution and HPND disclaimer", + "BSD-Inferno-Nettverk": "BSD-Inferno-Nettverk", + "BSD-Mark-Modifications": "BSD Mark Modifications License", + "BSD-Protection": "BSD Protection License", + "BSD-Source-beginning-file": "BSD Source Code Attribution - beginning of file variant", + "BSD-Source-Code": "BSD Source Code Attribution", + "BSD-Systemics": "Systemics BSD variant license", + "BSD-Systemics-W3Works": "Systemics W3Works BSD variant license", + "BSL-1.0": "Boost Software License 1.0", + "Buddy": "Buddy License", + "BUSL-1.1": "Business Source License 1.1", + "bzip2-1.0.5": "bzip2 and libbzip2 License v1.0.5", + "bzip2-1.0.6": "bzip2 and libbzip2 License v1.0.6", + "C-UDA-1.0": "Computational Use of Data Agreement v1.0", + "CAL-1.0": "Cryptographic Autonomy License 1.0", + "CAL-1.0-Combined-Work-Exception": "Cryptographic Autonomy License 1.0 (Combined Work Exception)", + "Caldera": "Caldera License", + "Caldera-no-preamble": "Caldera License (without preamble)", + "CAPEC-tou": "Common Attack Pattern Enumeration and Classification License", + "Catharon": "Catharon License", + "CATOSL-1.1": "Computer Associates Trusted Open Source License 1.1", + "CC-BY-1.0": "Creative Commons Attribution 1.0 Generic", + "CC-BY-2.0": "Creative Commons Attribution 2.0 Generic", + "CC-BY-2.5": "Creative Commons Attribution 2.5 Generic", + "CC-BY-2.5-AU": "Creative Commons Attribution 2.5 Australia", + "CC-BY-3.0": "Creative Commons Attribution 3.0 Unported", + "CC-BY-3.0-AT": "Creative Commons Attribution 3.0 Austria", + "CC-BY-3.0-AU": "Creative Commons Attribution 3.0 Australia", + "CC-BY-3.0-DE": "Creative Commons Attribution 3.0 Germany", + "CC-BY-3.0-IGO": "Creative Commons Attribution 3.0 IGO", + "CC-BY-3.0-NL": "Creative Commons Attribution 3.0 Netherlands", + "CC-BY-3.0-US": "Creative Commons Attribution 3.0 United States", + "CC-BY-4.0": "Creative Commons Attribution 4.0 International", + "CC-BY-NC-1.0": "Creative Commons Attribution Non Commercial 1.0 Generic", + "CC-BY-NC-2.0": "Creative Commons Attribution Non Commercial 2.0 Generic", + "CC-BY-NC-2.5": "Creative Commons Attribution Non Commercial 2.5 Generic", + "CC-BY-NC-3.0": "Creative Commons Attribution Non Commercial 3.0 Unported", + "CC-BY-NC-3.0-DE": "Creative Commons Attribution Non Commercial 3.0 Germany", + "CC-BY-NC-4.0": "Creative Commons Attribution Non Commercial 4.0 International", + "CC-BY-NC-ND-1.0": "Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic", + "CC-BY-NC-ND-2.0": "Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic", + "CC-BY-NC-ND-2.5": "Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic", + "CC-BY-NC-ND-3.0": "Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported", + "CC-BY-NC-ND-3.0-DE": "Creative Commons Attribution Non Commercial No Derivatives 3.0 Germany", + "CC-BY-NC-ND-3.0-IGO": "Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO", + "CC-BY-NC-ND-4.0": "Creative Commons Attribution Non Commercial No Derivatives 4.0 International", + "CC-BY-NC-SA-1.0": "Creative Commons Attribution Non Commercial Share Alike 1.0 Generic", + "CC-BY-NC-SA-2.0": "Creative Commons Attribution Non Commercial Share Alike 2.0 Generic", + "CC-BY-NC-SA-2.0-DE": "Creative Commons Attribution Non Commercial Share Alike 2.0 Germany", + "CC-BY-NC-SA-2.0-FR": "Creative Commons Attribution-NonCommercial-ShareAlike 2.0 France", + "CC-BY-NC-SA-2.0-UK": "Creative Commons Attribution Non Commercial Share Alike 2.0 England and Wales", + "CC-BY-NC-SA-2.5": "Creative Commons Attribution Non Commercial Share Alike 2.5 Generic", + "CC-BY-NC-SA-3.0": "Creative Commons Attribution Non Commercial Share Alike 3.0 Unported", + "CC-BY-NC-SA-3.0-DE": "Creative Commons Attribution Non Commercial Share Alike 3.0 Germany", + "CC-BY-NC-SA-3.0-IGO": "Creative Commons Attribution Non Commercial Share Alike 3.0 IGO", + "CC-BY-NC-SA-4.0": "Creative Commons Attribution Non Commercial Share Alike 4.0 International", + "CC-BY-ND-1.0": "Creative Commons Attribution No Derivatives 1.0 Generic", + "CC-BY-ND-2.0": "Creative Commons Attribution No Derivatives 2.0 Generic", + "CC-BY-ND-2.5": "Creative Commons Attribution No Derivatives 2.5 Generic", + "CC-BY-ND-3.0": "Creative Commons Attribution No Derivatives 3.0 Unported", + "CC-BY-ND-3.0-DE": "Creative Commons Attribution No Derivatives 3.0 Germany", + "CC-BY-ND-4.0": "Creative Commons Attribution No Derivatives 4.0 International", + "CC-BY-SA-1.0": "Creative Commons Attribution Share Alike 1.0 Generic", + "CC-BY-SA-2.0": "Creative Commons Attribution Share Alike 2.0 Generic", + "CC-BY-SA-2.0-UK": "Creative Commons Attribution Share Alike 2.0 England and Wales", + "CC-BY-SA-2.1-JP": "Creative Commons Attribution Share Alike 2.1 Japan", + "CC-BY-SA-2.5": "Creative Commons Attribution Share Alike 2.5 Generic", + "CC-BY-SA-3.0": "Creative Commons Attribution Share Alike 3.0 Unported", + "CC-BY-SA-3.0-AT": "Creative Commons Attribution Share Alike 3.0 Austria", + "CC-BY-SA-3.0-DE": "Creative Commons Attribution Share Alike 3.0 Germany", + "CC-BY-SA-3.0-IGO": "Creative Commons Attribution-ShareAlike 3.0 IGO", + "CC-BY-SA-4.0": "Creative Commons Attribution Share Alike 4.0 International", + "CC-PDDC": "Creative Commons Public Domain Dedication and Certification", + "CC-PDM-1.0": "Creative Commons Public Domain Mark 1.0 Universal", + "CC-SA-1.0": "Creative Commons Share Alike 1.0 Generic", + "CC0-1.0": "Creative Commons Zero v1.0 Universal", + "CDDL-1.0": "Common Development and Distribution License 1.0", + "CDDL-1.1": "Common Development and Distribution License 1.1", + "CDL-1.0": "Common Documentation License 1.0", + "CDLA-Permissive-1.0": "Community Data License Agreement Permissive 1.0", + "CDLA-Permissive-2.0": "Community Data License Agreement Permissive 2.0", + "CDLA-Sharing-1.0": "Community Data License Agreement Sharing 1.0", + "CECILL-1.0": "CeCILL Free Software License Agreement v1.0", + "CECILL-1.1": "CeCILL Free Software License Agreement v1.1", + "CECILL-2.0": "CeCILL Free Software License Agreement v2.0", + "CECILL-2.1": "CeCILL Free Software License Agreement v2.1", + "CECILL-B": "CeCILL-B Free Software License Agreement", + "CECILL-C": "CeCILL-C Free Software License Agreement", + "CERN-OHL-1.1": "CERN Open Hardware Licence v1.1", + "CERN-OHL-1.2": "CERN Open Hardware Licence v1.2", + "CERN-OHL-P-2.0": "CERN Open Hardware Licence Version 2 - Permissive", + "CERN-OHL-S-2.0": "CERN Open Hardware Licence Version 2 - Strongly Reciprocal", + "CERN-OHL-W-2.0": "CERN Open Hardware Licence Version 2 - Weakly Reciprocal", + "CFITSIO": "CFITSIO License", + "check-cvs": "check-cvs License", + "checkmk": "Checkmk License", + "ClArtistic": "Clarified Artistic License", + "Clips": "Clips License", + "CMU-Mach": "CMU Mach License", + "CMU-Mach-nodoc": "CMU Mach - no notices-in-documentation variant", + "CNRI-Jython": "CNRI Jython License", + "CNRI-Python": "CNRI Python License", + "CNRI-Python-GPL-Compatible": "CNRI Python Open Source GPL Compatible License Agreement", + "COIL-1.0": "Copyfree Open Innovation License", + "Community-Spec-1.0": "Community Specification License 1.0", + "Condor-1.1": "Condor Public License v1.1", + "copyleft-next-0.3.0": "copyleft-next 0.3.0", + "copyleft-next-0.3.1": "copyleft-next 0.3.1", + "Cornell-Lossless-JPEG": "Cornell Lossless JPEG License", + "CPAL-1.0": "Common Public Attribution License 1.0", + "CPL-1.0": "Common Public License 1.0", + "CPOL-1.02": "Code Project Open License 1.02", + "Cronyx": "Cronyx License", + "Crossword": "Crossword License", + "CryptoSwift": "CryptoSwift License", + "CrystalStacker": "CrystalStacker License", + "CUA-OPL-1.0": "CUA Office Public License v1.0", + "Cube": "Cube License", + "curl": "curl License", + "cve-tou": "Common Vulnerability Enumeration ToU License", + "D-FSL-1.0": "Deutsche Freie Software Lizenz", + "DEC-3-Clause": "DEC 3-Clause License", + "diffmark": "diffmark license", + "DL-DE-BY-2.0": "Data licence Germany \u2013 attribution \u2013 version 2.0", + "DL-DE-ZERO-2.0": "Data licence Germany \u2013 zero \u2013 version 2.0", + "DOC": "DOC License", + "DocBook-DTD": "DocBook DTD License", + "DocBook-Schema": "DocBook Schema License", + "DocBook-Stylesheet": "DocBook Stylesheet License", + "DocBook-XML": "DocBook XML License", + "Dotseqn": "Dotseqn License", + "DRL-1.0": "Detection Rule License 1.0", + "DRL-1.1": "Detection Rule License 1.1", + "DSDP": "DSDP License", + "dtoa": "David M. Gay dtoa License", + "dvipdfm": "dvipdfm License", + "ECL-1.0": "Educational Community License v1.0", + "ECL-2.0": "Educational Community License v2.0", + "eCos-2.0": "eCos license version 2.0", + "EFL-1.0": "Eiffel Forum License v1.0", + "EFL-2.0": "Eiffel Forum License v2.0", + "eGenix": "eGenix.com Public License 1.1.0", + "Elastic-2.0": "Elastic License 2.0", + "Entessa": "Entessa Public License v1.0", + "EPICS": "EPICS Open License", + "EPL-1.0": "Eclipse Public License 1.0", + "EPL-2.0": "Eclipse Public License 2.0", + "ErlPL-1.1": "Erlang Public License v1.1", + "ESA-PL-permissive-2.4": "European Space Agency Public License \u2013 v2.4 \u2013 Permissive (Type 3)", + "ESA-PL-strong-copyleft-2.4": "European Space Agency Public License (ESA-PL) - V2.4 - Strong Copyleft (Type 1)", + "ESA-PL-weak-copyleft-2.4": "European Space Agency Public License \u2013 v2.4 \u2013 Weak Copyleft (Type 2)", + "etalab-2.0": "Etalab Open License 2.0", + "EUDatagrid": "EU DataGrid Software License", + "EUPL-1.0": "European Union Public License 1.0", + "EUPL-1.1": "European Union Public License 1.1", + "EUPL-1.2": "European Union Public License 1.2", + "Eurosym": "Eurosym License", + "Fair": "Fair License", + "FBM": "Fuzzy Bitmap License", + "FDK-AAC": "Fraunhofer FDK AAC Codec Library", + "Ferguson-Twofish": "Ferguson Twofish License", + "Frameworx-1.0": "Frameworx Open License 1.0", + "FreeBSD-DOC": "FreeBSD Documentation License", + "FreeImage": "FreeImage Public License v1.0", + "FSFAP": "FSF All Permissive License", + "FSFAP-no-warranty-disclaimer": "FSF All Permissive License (without Warranty)", + "FSFUL": "FSF Unlimited License", + "FSFULLR": "FSF Unlimited License (with License Retention)", + "FSFULLRSD": "FSF Unlimited License (with License Retention and Short Disclaimer)", + "FSFULLRWD": "FSF Unlimited License (With License Retention and Warranty Disclaimer)", + "FSL-1.1-ALv2": "Functional Source License, Version 1.1, ALv2 Future License", + "FSL-1.1-MIT": "Functional Source License, Version 1.1, MIT Future License", + "FTL": "Freetype Project License", + "Furuseth": "Furuseth License", + "fwlw": "fwlw License", + "Game-Programming-Gems": "Game Programming Gems License", + "GCR-docs": "Gnome GCR Documentation License", + "GD": "GD License", + "generic-xts": "Generic XTS License", + "GFDL-1.1": "GNU Free Documentation License v1.1", + "GFDL-1.1-invariants-only": "GNU Free Documentation License v1.1 only - invariants", + "GFDL-1.1-invariants-or-later": "GNU Free Documentation License v1.1 or later - invariants", + "GFDL-1.1-no-invariants-only": "GNU Free Documentation License v1.1 only - no invariants", + "GFDL-1.1-no-invariants-or-later": "GNU Free Documentation License v1.1 or later - no invariants", + "GFDL-1.1-only": "GNU Free Documentation License v1.1 only", + "GFDL-1.1-or-later": "GNU Free Documentation License v1.1 or later", + "GFDL-1.2": "GNU Free Documentation License v1.2", + "GFDL-1.2-invariants-only": "GNU Free Documentation License v1.2 only - invariants", + "GFDL-1.2-invariants-or-later": "GNU Free Documentation License v1.2 or later - invariants", + "GFDL-1.2-no-invariants-only": "GNU Free Documentation License v1.2 only - no invariants", + "GFDL-1.2-no-invariants-or-later": "GNU Free Documentation License v1.2 or later - no invariants", + "GFDL-1.2-only": "GNU Free Documentation License v1.2 only", + "GFDL-1.2-or-later": "GNU Free Documentation License v1.2 or later", + "GFDL-1.3": "GNU Free Documentation License v1.3", + "GFDL-1.3-invariants-only": "GNU Free Documentation License v1.3 only - invariants", + "GFDL-1.3-invariants-or-later": "GNU Free Documentation License v1.3 or later - invariants", + "GFDL-1.3-no-invariants-only": "GNU Free Documentation License v1.3 only - no invariants", + "GFDL-1.3-no-invariants-or-later": "GNU Free Documentation License v1.3 or later - no invariants", + "GFDL-1.3-only": "GNU Free Documentation License v1.3 only", + "GFDL-1.3-or-later": "GNU Free Documentation License v1.3 or later", + "Giftware": "Giftware License", + "GL2PS": "GL2PS License", + "Glide": "3dfx Glide License", + "Glulxe": "Glulxe License", + "GLWTPL": "Good Luck With That Public License", + "gnuplot": "gnuplot License", + "GPL-1.0": "GNU General Public License v1.0 only", + "GPL-1.0+": "GNU General Public License v1.0 or later", + "GPL-1.0-only": "GNU General Public License v1.0 only", + "GPL-1.0-or-later": "GNU General Public License v1.0 or later", + "GPL-2.0": "GNU General Public License v2.0 only", + "GPL-2.0+": "GNU General Public License v2.0 or later", + "GPL-2.0-only": "GNU General Public License v2.0 only", + "GPL-2.0-or-later": "GNU General Public License v2.0 or later", + "GPL-2.0-with-autoconf-exception": "GNU General Public License v2.0 w\/Autoconf exception", + "GPL-2.0-with-bison-exception": "GNU General Public License v2.0 w\/Bison exception", + "GPL-2.0-with-classpath-exception": "GNU General Public License v2.0 w\/Classpath exception", + "GPL-2.0-with-font-exception": "GNU General Public License v2.0 w\/Font exception", + "GPL-2.0-with-GCC-exception": "GNU General Public License v2.0 w\/GCC Runtime Library exception", + "GPL-3.0": "GNU General Public License v3.0 only", + "GPL-3.0+": "GNU General Public License v3.0 or later", + "GPL-3.0-only": "GNU General Public License v3.0 only", + "GPL-3.0-or-later": "GNU General Public License v3.0 or later", + "GPL-3.0-with-autoconf-exception": "GNU General Public License v3.0 w\/Autoconf exception", + "GPL-3.0-with-GCC-exception": "GNU General Public License v3.0 w\/GCC Runtime Library exception", + "Graphics-Gems": "Graphics Gems License", + "gSOAP-1.3b": "gSOAP Public License v1.3b", + "gtkbook": "gtkbook License", + "Gutmann": "Gutmann License", + "HaskellReport": "Haskell Language Report License", + "HDF5": "HDF5 License", + "hdparm": "hdparm License", + "HIDAPI": "HIDAPI License", + "Hippocratic-2.1": "Hippocratic License 2.1", + "HP-1986": "Hewlett-Packard 1986 License", + "HP-1989": "Hewlett-Packard 1989 License", + "HPND": "Historical Permission Notice and Disclaimer", + "HPND-DEC": "Historical Permission Notice and Disclaimer - DEC variant", + "HPND-doc": "Historical Permission Notice and Disclaimer - documentation variant", + "HPND-doc-sell": "Historical Permission Notice and Disclaimer - documentation sell variant", + "HPND-export-US": "HPND with US Government export control warning", + "HPND-export-US-acknowledgement": "HPND with US Government export control warning and acknowledgment", + "HPND-export-US-modify": "HPND with US Government export control warning and modification rqmt", + "HPND-export2-US": "HPND with US Government export control and 2 disclaimers", + "HPND-Fenneberg-Livingston": "Historical Permission Notice and Disclaimer - Fenneberg-Livingston variant", + "HPND-INRIA-IMAG": "Historical Permission Notice and Disclaimer - INRIA-IMAG variant", + "HPND-Intel": "Historical Permission Notice and Disclaimer - Intel variant", + "HPND-Kevlin-Henney": "Historical Permission Notice and Disclaimer - Kevlin Henney variant", + "HPND-Markus-Kuhn": "Historical Permission Notice and Disclaimer - Markus Kuhn variant", + "HPND-merchantability-variant": "Historical Permission Notice and Disclaimer - merchantability variant", + "HPND-MIT-disclaimer": "Historical Permission Notice and Disclaimer with MIT disclaimer", + "HPND-Netrek": "Historical Permission Notice and Disclaimer - Netrek variant", + "HPND-Pbmplus": "Historical Permission Notice and Disclaimer - Pbmplus variant", + "HPND-sell-MIT-disclaimer-xserver": "Historical Permission Notice and Disclaimer - sell xserver variant with MIT disclaimer", + "HPND-sell-regexpr": "Historical Permission Notice and Disclaimer - sell regexpr variant", + "HPND-sell-variant": "Historical Permission Notice and Disclaimer - sell variant", + "HPND-sell-variant-critical-systems": "HPND - sell variant with safety critical systems clause", + "HPND-sell-variant-MIT-disclaimer": "HPND sell variant with MIT disclaimer", + "HPND-sell-variant-MIT-disclaimer-rev": "HPND sell variant with MIT disclaimer - reverse", + "HPND-SMC": "Historical Permission Notice and Disclaimer - SMC variant", + "HPND-UC": "Historical Permission Notice and Disclaimer - University of California variant", + "HPND-UC-export-US": "Historical Permission Notice and Disclaimer - University of California, US export warning", + "HTMLTIDY": "HTML Tidy License", + "hyphen-bulgarian": "hyphen-bulgarian License", + "IBM-pibs": "IBM PowerPC Initialization and Boot Software", + "ICU": "ICU License", + "IEC-Code-Components-EULA": "IEC Code Components End-user licence agreement", + "IJG": "Independent JPEG Group License", + "IJG-short": "Independent JPEG Group License - short", + "ImageMagick": "ImageMagick License", + "iMatix": "iMatix Standard Function Library Agreement", + "Imlib2": "Imlib2 License", + "Info-ZIP": "Info-ZIP License", + "Inner-Net-2.0": "Inner Net License v2.0", + "InnoSetup": "Inno Setup License", + "Intel": "Intel Open Source License", + "Intel-ACPI": "Intel ACPI Software License Agreement", + "Interbase-1.0": "Interbase Public License v1.0", + "IPA": "IPA Font License", + "IPL-1.0": "IBM Public License v1.0", + "ISC": "ISC License", + "ISC-Veillard": "ISC Veillard variant", + "ISO-permission": "ISO permission notice", + "Jam": "Jam License", + "JasPer-2.0": "JasPer License", + "jove": "Jove License", + "JPL-image": "JPL Image Use Policy", + "JPNIC": "Japan Network Information Center License", + "JSON": "JSON License", + "Kastrup": "Kastrup License", + "Kazlib": "Kazlib License", + "Knuth-CTAN": "Knuth CTAN License", + "LAL-1.2": "Licence Art Libre 1.2", + "LAL-1.3": "Licence Art Libre 1.3", + "Latex2e": "Latex2e License", + "Latex2e-translated-notice": "Latex2e with translated notice permission", + "Leptonica": "Leptonica License", + "LGPL-2.0": "GNU Library General Public License v2 only", + "LGPL-2.0+": "GNU Library General Public License v2 or later", + "LGPL-2.0-only": "GNU Library General Public License v2 only", + "LGPL-2.0-or-later": "GNU Library General Public License v2 or later", + "LGPL-2.1": "GNU Lesser General Public License v2.1 only", + "LGPL-2.1+": "GNU Lesser General Public License v2.1 or later", + "LGPL-2.1-only": "GNU Lesser General Public License v2.1 only", + "LGPL-2.1-or-later": "GNU Lesser General Public License v2.1 or later", + "LGPL-3.0": "GNU Lesser General Public License v3.0 only", + "LGPL-3.0+": "GNU Lesser General Public License v3.0 or later", + "LGPL-3.0-only": "GNU Lesser General Public License v3.0 only", + "LGPL-3.0-or-later": "GNU Lesser General Public License v3.0 or later", + "LGPLLR": "Lesser General Public License For Linguistic Resources", + "Libpng": "libpng License", + "libpng-1.6.35": "PNG Reference Library License v1 (for libpng 0.5 through 1.6.35)", + "libpng-2.0": "PNG Reference Library version 2", + "libselinux-1.0": "libselinux public domain notice", + "libtiff": "libtiff License", + "libutil-David-Nugent": "libutil David Nugent License", + "LiLiQ-P-1.1": "Licence Libre du Qu\u00E9bec \u2013 Permissive version 1.1", + "LiLiQ-R-1.1": "Licence Libre du Qu\u00E9bec \u2013 R\u00E9ciprocit\u00E9 version 1.1", + "LiLiQ-Rplus-1.1": "Licence Libre du Qu\u00E9bec \u2013 R\u00E9ciprocit\u00E9 forte version 1.1", + "Linux-man-pages-1-para": "Linux man-pages - 1 paragraph", + "Linux-man-pages-copyleft": "Linux man-pages Copyleft", + "Linux-man-pages-copyleft-2-para": "Linux man-pages Copyleft - 2 paragraphs", + "Linux-man-pages-copyleft-var": "Linux man-pages Copyleft Variant", + "Linux-OpenIB": "Linux Kernel Variant of OpenIB.org license", + "LOOP": "Common Lisp LOOP License", + "LPD-document": "LPD Documentation License", + "LPL-1.0": "Lucent Public License Version 1.0", + "LPL-1.02": "Lucent Public License v1.02", + "LPPL-1.0": "LaTeX Project Public License v1.0", + "LPPL-1.1": "LaTeX Project Public License v1.1", + "LPPL-1.2": "LaTeX Project Public License v1.2", + "LPPL-1.3a": "LaTeX Project Public License v1.3a", + "LPPL-1.3c": "LaTeX Project Public License v1.3c", + "lsof": "lsof License", + "Lucida-Bitmap-Fonts": "Lucida Bitmap Fonts License", + "LZMA-SDK-9.11-to-9.20": "LZMA SDK License (versions 9.11 to 9.20)", + "LZMA-SDK-9.22": "LZMA SDK License (versions 9.22 and beyond)", + "Mackerras-3-Clause": "Mackerras 3-Clause License", + "Mackerras-3-Clause-acknowledgment": "Mackerras 3-Clause - acknowledgment variant", + "magaz": "magaz License", + "mailprio": "mailprio License", + "MakeIndex": "MakeIndex License", + "man2html": "man2html License", + "Martin-Birgmeier": "Martin Birgmeier License", + "McPhee-slideshow": "McPhee Slideshow License", + "metamail": "metamail License", + "Minpack": "Minpack License", + "MIPS": "MIPS License", + "MirOS": "The MirOS Licence", + "MIT": "MIT License", + "MIT-0": "MIT No Attribution", + "MIT-advertising": "Enlightenment License (e16)", + "MIT-Click": "MIT Click License", + "MIT-CMU": "CMU License", + "MIT-enna": "enna License", + "MIT-feh": "feh License", + "MIT-Festival": "MIT Festival Variant", + "MIT-Khronos-old": "MIT Khronos - old variant", + "MIT-Modern-Variant": "MIT License Modern Variant", + "MIT-open-group": "MIT Open Group variant", + "MIT-STK": "MIT-STK License", + "MIT-testregex": "MIT testregex Variant", + "MIT-Wu": "MIT Tom Wu Variant", + "MITNFA": "MIT +no-false-attribs license", + "MMIXware": "MMIXware License", + "MMPL-1.0.1": "Minecraft Mod Public License v1.0.1", + "Motosoto": "Motosoto License", + "MPEG-SSG": "MPEG Software Simulation", + "mpi-permissive": "mpi Permissive License", + "mpich2": "mpich2 License", + "MPL-1.0": "Mozilla Public License 1.0", + "MPL-1.1": "Mozilla Public License 1.1", + "MPL-2.0": "Mozilla Public License 2.0", + "MPL-2.0-no-copyleft-exception": "Mozilla Public License 2.0 (no copyleft exception)", + "mplus": "mplus Font License", + "MS-LPL": "Microsoft Limited Public License", + "MS-PL": "Microsoft Public License", + "MS-RL": "Microsoft Reciprocal License", + "MTLL": "Matrix Template Library License", + "MulanPSL-1.0": "Mulan Permissive Software License, Version 1", + "MulanPSL-2.0": "Mulan Permissive Software License, Version 2", + "Multics": "Multics License", + "Mup": "Mup License", + "NAIST-2003": "Nara Institute of Science and Technology License (2003)", + "NASA-1.3": "NASA Open Source Agreement 1.3", + "Naumen": "Naumen Public License", + "NBPL-1.0": "Net Boolean Public License v1", + "NCBI-PD": "NCBI Public Domain Notice", + "NCGL-UK-2.0": "Non-Commercial Government Licence", + "NCL": "NCL Source Code License", + "NCSA": "University of Illinois\/NCSA Open Source License", + "Net-SNMP": "Net-SNMP License", + "NetCDF": "NetCDF license", + "Newsletr": "Newsletr License", + "NGPL": "Nethack General Public License", + "ngrep": "ngrep License", + "NICTA-1.0": "NICTA Public Software License, Version 1.0", + "NIST-PD": "NIST Public Domain Notice", + "NIST-PD-fallback": "NIST Public Domain Notice with license fallback", + "NIST-PD-TNT": "NIST Public Domain Notice TNT variant", + "NIST-Software": "NIST Software License", + "NLOD-1.0": "Norwegian Licence for Open Government Data (NLOD) 1.0", + "NLOD-2.0": "Norwegian Licence for Open Government Data (NLOD) 2.0", + "NLPL": "No Limit Public License", + "Nokia": "Nokia Open Source License", + "NOSL": "Netizen Open Source License", + "Noweb": "Noweb License", + "NPL-1.0": "Netscape Public License v1.0", + "NPL-1.1": "Netscape Public License v1.1", + "NPOSL-3.0": "Non-Profit Open Software License 3.0", + "NRL": "NRL License", + "NTIA-PD": "NTIA Public Domain Notice", + "NTP": "NTP License", + "NTP-0": "NTP No Attribution", + "Nunit": "Nunit License", + "O-UDA-1.0": "Open Use of Data Agreement v1.0", + "OAR": "OAR License", + "OCCT-PL": "Open CASCADE Technology Public License", + "OCLC-2.0": "OCLC Research Public License 2.0", + "ODbL-1.0": "Open Data Commons Open Database License v1.0", + "ODC-By-1.0": "Open Data Commons Attribution License v1.0", + "OFFIS": "OFFIS License", + "OFL-1.0": "SIL Open Font License 1.0", + "OFL-1.0-no-RFN": "SIL Open Font License 1.0 with no Reserved Font Name", + "OFL-1.0-RFN": "SIL Open Font License 1.0 with Reserved Font Name", + "OFL-1.1": "SIL Open Font License 1.1", + "OFL-1.1-no-RFN": "SIL Open Font License 1.1 with no Reserved Font Name", + "OFL-1.1-RFN": "SIL Open Font License 1.1 with Reserved Font Name", + "OGC-1.0": "OGC Software License, Version 1.0", + "OGDL-Taiwan-1.0": "Taiwan Open Government Data License, version 1.0", + "OGL-Canada-2.0": "Open Government Licence - Canada", + "OGL-UK-1.0": "Open Government Licence v1.0", + "OGL-UK-2.0": "Open Government Licence v2.0", + "OGL-UK-3.0": "Open Government Licence v3.0", + "OGTSL": "Open Group Test Suite License", + "OLDAP-1.1": "Open LDAP Public License v1.1", + "OLDAP-1.2": "Open LDAP Public License v1.2", + "OLDAP-1.3": "Open LDAP Public License v1.3", + "OLDAP-1.4": "Open LDAP Public License v1.4", + "OLDAP-2.0": "Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B)", + "OLDAP-2.0.1": "Open LDAP Public License v2.0.1", + "OLDAP-2.1": "Open LDAP Public License v2.1", + "OLDAP-2.2": "Open LDAP Public License v2.2", + "OLDAP-2.2.1": "Open LDAP Public License v2.2.1", + "OLDAP-2.2.2": "Open LDAP Public License 2.2.2", + "OLDAP-2.3": "Open LDAP Public License v2.3", + "OLDAP-2.4": "Open LDAP Public License v2.4", + "OLDAP-2.5": "Open LDAP Public License v2.5", + "OLDAP-2.6": "Open LDAP Public License v2.6", + "OLDAP-2.7": "Open LDAP Public License v2.7", + "OLDAP-2.8": "Open LDAP Public License v2.8", + "OLFL-1.3": "Open Logistics Foundation License Version 1.3", + "OML": "Open Market License", + "OpenMDW-1.0": "OpenMDW License Agreement v1.0", + "OpenPBS-2.3": "OpenPBS v2.3 Software License", + "OpenSSL": "OpenSSL License", + "OpenSSL-standalone": "OpenSSL License - standalone", + "OpenVision": "OpenVision License", + "OPL-1.0": "Open Public License v1.0", + "OPL-UK-3.0": "United Kingdom Open Parliament Licence v3.0", + "OPUBL-1.0": "Open Publication License v1.0", + "OSC-1.0": "OSC License 1.0", + "OSET-PL-2.1": "OSET Public License version 2.1", + "OSL-1.0": "Open Software License 1.0", + "OSL-1.1": "Open Software License 1.1", + "OSL-2.0": "Open Software License 2.0", + "OSL-2.1": "Open Software License 2.1", + "OSL-3.0": "Open Software License 3.0", + "OSSP": "OSSP License", + "PADL": "PADL License", + "ParaType-Free-Font-1.3": "ParaType Free Font Licensing Agreement v1.3", + "Parity-6.0.0": "The Parity Public License 6.0.0", + "Parity-7.0.0": "The Parity Public License 7.0.0", + "PDDL-1.0": "Open Data Commons Public Domain Dedication & License 1.0", + "PHP-3.0": "PHP License v3.0", + "PHP-3.01": "PHP License v3.01", + "Pixar": "Pixar License", + "pkgconf": "pkgconf License", + "Plexus": "Plexus Classworlds License", + "pnmstitch": "pnmstitch License", + "PolyForm-Noncommercial-1.0.0": "PolyForm Noncommercial License 1.0.0", + "PolyForm-Small-Business-1.0.0": "PolyForm Small Business License 1.0.0", + "PostgreSQL": "PostgreSQL License", + "PPL": "Peer Production License", + "PSF-2.0": "Python Software Foundation License 2.0", + "psfrag": "psfrag License", + "psutils": "psutils License", + "Python-2.0": "Python License 2.0", + "Python-2.0.1": "Python License 2.0.1", + "python-ldap": "Python ldap License", + "Qhull": "Qhull License", + "QPL-1.0": "Q Public License 1.0", + "QPL-1.0-INRIA-2004": "Q Public License 1.0 - INRIA 2004 variant", + "radvd": "radvd License", + "Rdisc": "Rdisc License", + "RHeCos-1.1": "Red Hat eCos Public License v1.1", + "RPL-1.1": "Reciprocal Public License 1.1", + "RPL-1.5": "Reciprocal Public License 1.5", + "RPSL-1.0": "RealNetworks Public Source License v1.0", + "RSA-MD": "RSA Message-Digest License", + "RSCPL": "Ricoh Source Code Public License", + "Ruby": "Ruby License", + "Ruby-pty": "Ruby pty extension license", + "SAX-PD": "Sax Public Domain Notice", + "SAX-PD-2.0": "Sax Public Domain Notice 2.0", + "Saxpath": "Saxpath License", + "SCEA": "SCEA Shared Source License", + "SchemeReport": "Scheme Language Report License", + "Sendmail": "Sendmail License", + "Sendmail-8.23": "Sendmail License 8.23", + "Sendmail-Open-Source-1.1": "Sendmail Open Source License v1.1", + "SGI-B-1.0": "SGI Free Software License B v1.0", + "SGI-B-1.1": "SGI Free Software License B v1.1", + "SGI-B-2.0": "SGI Free Software License B v2.0", + "SGI-OpenGL": "SGI OpenGL License", + "SGMLUG-PM": "SGMLUG Parser Materials License", + "SGP4": "SGP4 Permission Notice", + "SHL-0.5": "Solderpad Hardware License v0.5", + "SHL-0.51": "Solderpad Hardware License, Version 0.51", + "SimPL-2.0": "Simple Public License 2.0", + "SISSL": "Sun Industry Standards Source License v1.1", + "SISSL-1.2": "Sun Industry Standards Source License v1.2", + "SL": "SL License", + "Sleepycat": "Sleepycat License", + "SMAIL-GPL": "SMAIL General Public License", + "SMLNJ": "Standard ML of New Jersey License", + "SMPPL": "Secure Messaging Protocol Public License", + "SNIA": "SNIA Public License 1.1", + "snprintf": "snprintf License", + "SOFA": "SOFA Software License", + "softSurfer": "softSurfer License", + "Soundex": "Soundex License", + "Spencer-86": "Spencer License 86", + "Spencer-94": "Spencer License 94", + "Spencer-99": "Spencer License 99", + "SPL-1.0": "Sun Public License v1.0", + "ssh-keyscan": "ssh-keyscan License", + "SSH-OpenSSH": "SSH OpenSSH license", + "SSH-short": "SSH short notice", + "SSLeay-standalone": "SSLeay License - standalone", + "SSPL-1.0": "Server Side Public License, v 1", + "StandardML-NJ": "Standard ML of New Jersey License", + "SugarCRM-1.1.3": "SugarCRM Public License v1.1.3", + "SUL-1.0": "Sustainable Use License v1.0", + "Sun-PPP": "Sun PPP License", + "Sun-PPP-2000": "Sun PPP License (2000)", + "SunPro": "SunPro License", + "SWL": "Scheme Widget Library (SWL) Software License Agreement", + "swrule": "swrule License", + "Symlinks": "Symlinks License", + "TAPR-OHL-1.0": "TAPR Open Hardware License v1.0", + "TCL": "TCL\/TK License", + "TCP-wrappers": "TCP Wrappers License", + "TekHVC": "TekHVC License", + "TermReadKey": "TermReadKey License", + "TGPPL-1.0": "Transitive Grace Period Public Licence 1.0", + "ThirdEye": "ThirdEye License", + "threeparttable": "threeparttable License", + "TMate": "TMate Open Source License", + "TORQUE-1.1": "TORQUE v2.5+ Software License v1.1", + "TOSL": "Trusster Open Source License", + "TPDL": "Time::ParseDate License", + "TPL-1.0": "THOR Public License 1.0", + "TrustedQSL": "TrustedQSL License", + "TTWL": "Text-Tabs+Wrap License", + "TTYP0": "TTYP0 License", + "TU-Berlin-1.0": "Technische Universitaet Berlin License 1.0", + "TU-Berlin-2.0": "Technische Universitaet Berlin License 2.0", + "Ubuntu-font-1.0": "Ubuntu Font Licence v1.0", + "UCAR": "UCAR License", + "UCL-1.0": "Upstream Compatibility License v1.0", + "ulem": "ulem License", + "UMich-Merit": "Michigan\/Merit Networks License", + "Unicode-3.0": "Unicode License v3", + "Unicode-DFS-2015": "Unicode License Agreement - Data Files and Software (2015)", + "Unicode-DFS-2016": "Unicode License Agreement - Data Files and Software (2016)", + "Unicode-TOU": "Unicode Terms of Use", + "UnixCrypt": "UnixCrypt License", + "Unlicense": "The Unlicense", + "Unlicense-libtelnet": "Unlicense - libtelnet variant", + "Unlicense-libwhirlpool": "Unlicense - libwhirlpool variant", + "UnRAR": "UnRAR License", + "UPL-1.0": "Universal Permissive License v1.0", + "URT-RLE": "Utah Raster Toolkit Run Length Encoded License", + "Vim": "Vim License", + "Vixie-Cron": "Vixie Cron License", + "VOSTROM": "VOSTROM Public License for Open Source", + "VSL-1.0": "Vovida Software License v1.0", + "W3C": "W3C Software Notice and License (2002-12-31)", + "W3C-19980720": "W3C Software Notice and License (1998-07-20)", + "W3C-20150513": "W3C Software Notice and Document License (2015-05-13)", + "w3m": "w3m License", + "Watcom-1.0": "Sybase Open Watcom Public License 1.0", + "Widget-Workshop": "Widget Workshop License", + "WordNet": "WordNet License", + "Wsuipa": "Wsuipa License", + "WTFNMFPL": "Do What The F*ck You Want To But It's Not My Fault Public License", + "WTFPL": "Do What The F*ck You Want To Public License", + "wwl": "WWL License", + "wxWindows": "wxWindows Library License", + "X11": "X11 License", + "X11-distribute-modifications-variant": "X11 License Distribution Modification Variant", + "X11-no-permit-persons": "X11 no permit persons clause", + "X11-swapped": "X11 swapped final paragraphs", + "Xdebug-1.03": "Xdebug License v 1.03", + "Xerox": "Xerox License", + "Xfig": "Xfig License", + "XFree86-1.1": "XFree86 License 1.1", + "xinetd": "xinetd License", + "xkeyboard-config-Zinoviev": "xkeyboard-config Zinoviev License", + "xlock": "xlock License", + "Xnet": "X.Net License", + "xpp": "XPP License", + "XSkat": "XSkat License", + "xzoom": "xzoom License", + "YPL-1.0": "Yahoo! Public License v1.0", + "YPL-1.1": "Yahoo! Public License v1.1", + "Zed": "Zed License", + "Zeeff": "Zeeff License", + "Zend-2.0": "Zend License v2.0", + "Zimbra-1.3": "Zimbra Public License v1.3", + "Zimbra-1.4": "Zimbra Public License v1.4", + "Zlib": "zlib License", + "zlib-acknowledgement": "zlib\/libpng License with Acknowledgement", + "ZPL-1.1": "Zope Public License 1.1", + "ZPL-2.0": "Zope Public License 2.0", + "ZPL-2.1": "Zope Public License 2.1", + "389-exception": "389 Directory Server Exception", + "Asterisk-exception": "Asterisk exception", + "Asterisk-linking-protocols-exception": "Asterisk linking protocols exception", + "Autoconf-exception-2.0": "Autoconf exception 2.0", + "Autoconf-exception-3.0": "Autoconf exception 3.0", + "Autoconf-exception-generic": "Autoconf generic exception", + "Autoconf-exception-generic-3.0": "Autoconf generic exception for GPL-3.0", + "Autoconf-exception-macro": "Autoconf macro exception", + "Bison-exception-1.24": "Bison exception 1.24", + "Bison-exception-2.2": "Bison exception 2.2", + "Bootloader-exception": "Bootloader Distribution Exception", + "CGAL-linking-exception": "CGAL Linking Exception", + "Classpath-exception-2.0": "Classpath exception 2.0", + "Classpath-exception-2.0-short": "Classpath exception 2.0 - short", + "CLISP-exception-2.0": "CLISP exception 2.0", + "cryptsetup-OpenSSL-exception": "cryptsetup OpenSSL exception", + "Digia-Qt-LGPL-exception-1.1": "Digia Qt LGPL Exception version 1.1", + "DigiRule-FOSS-exception": "DigiRule FOSS License Exception", + "eCos-exception-2.0": "eCos exception 2.0", + "erlang-otp-linking-exception": "Erlang\/OTP Linking Exception", + "Fawkes-Runtime-exception": "Fawkes Runtime Exception", + "FLTK-exception": "FLTK exception", + "fmt-exception": "fmt exception", + "Font-exception-2.0": "Font exception 2.0", + "freertos-exception-2.0": "FreeRTOS Exception 2.0", + "GCC-exception-2.0": "GCC Runtime Library exception 2.0", + "GCC-exception-2.0-note": "GCC Runtime Library exception 2.0 - note variant", + "GCC-exception-3.1": "GCC Runtime Library exception 3.1", + "Gmsh-exception": "Gmsh exception", + "GNAT-exception": "GNAT exception", + "GNOME-examples-exception": "GNOME examples exception", + "GNU-compiler-exception": "GNU Compiler Exception", + "gnu-javamail-exception": "GNU JavaMail exception", + "GPL-3.0-389-ds-base-exception": "GPL-3.0 389 DS Base Exception", + "GPL-3.0-interface-exception": "GPL-3.0 Interface Exception", + "GPL-3.0-linking-exception": "GPL-3.0 Linking Exception", + "GPL-3.0-linking-source-exception": "GPL-3.0 Linking Exception (with Corresponding Source)", + "GPL-CC-1.0": "GPL Cooperation Commitment 1.0", + "GStreamer-exception-2005": "GStreamer Exception (2005)", + "GStreamer-exception-2008": "GStreamer Exception (2008)", + "harbour-exception": "harbour exception", + "i2p-gpl-java-exception": "i2p GPL+Java Exception", + "Independent-modules-exception": "Independent Module Linking exception", + "KiCad-libraries-exception": "KiCad Libraries Exception", + "kvirc-openssl-exception": "kvirc OpenSSL Exception", + "LGPL-3.0-linking-exception": "LGPL-3.0 Linking Exception", + "libpri-OpenH323-exception": "libpri OpenH323 exception", + "Libtool-exception": "Libtool Exception", + "Linux-syscall-note": "Linux Syscall Note", + "LLGPL": "LLGPL Preamble", + "LLVM-exception": "LLVM Exception", + "LZMA-exception": "LZMA exception", + "mif-exception": "Macros and Inline Functions Exception", + "mxml-exception": "mxml Exception", + "Nokia-Qt-exception-1.1": "Nokia Qt LGPL exception 1.1", + "OCaml-LGPL-linking-exception": "OCaml LGPL Linking Exception", + "OCCT-exception-1.0": "Open CASCADE Exception 1.0", + "OpenJDK-assembly-exception-1.0": "OpenJDK Assembly exception 1.0", + "openvpn-openssl-exception": "OpenVPN OpenSSL Exception", + "PCRE2-exception": "PCRE2 exception", + "polyparse-exception": "Polyparse Exception", + "PS-or-PDF-font-exception-20170817": "PS\/PDF font exception (2017-08-17)", + "QPL-1.0-INRIA-2004-exception": "INRIA QPL 1.0 2004 variant exception", + "Qt-GPL-exception-1.0": "Qt GPL exception 1.0", + "Qt-LGPL-exception-1.1": "Qt LGPL exception 1.1", + "Qwt-exception-1.0": "Qwt exception 1.0", + "romic-exception": "Romic Exception", + "RRDtool-FLOSS-exception-2.0": "RRDtool FLOSS exception 2.0", + "rsync-linking-exception": "rsync Linking Exception", + "SANE-exception": "SANE Exception", + "SHL-2.0": "Solderpad Hardware License v2.0", + "SHL-2.1": "Solderpad Hardware License v2.1", + "Simple-Library-Usage-exception": "Simple Library Usage Exception", + "sqlitestudio-OpenSSL-exception": "sqlitestudio OpenSSL exception", + "stunnel-exception": "stunnel Exception", + "SWI-exception": "SWI exception", + "Swift-exception": "Swift Exception", + "Texinfo-exception": "Texinfo exception", + "u-boot-exception-2.0": "U-Boot exception 2.0", + "UBDL-exception": "Unmodified Binary Distribution exception", + "Universal-FOSS-exception-1.0": "Universal FOSS Exception, Version 1.0", + "vsftpd-openssl-exception": "vsftpd OpenSSL exception", + "WxWindows-exception-3.1": "WxWindows Library Exception 3.1", + "x11vnc-openssl-exception": "x11vnc OpenSSL Exception" + } } diff --git a/cyclonedx/schema/_res/spdx.SNAPSHOT.xsd b/cyclonedx/schema/_res/spdx.SNAPSHOT.xsd index 41a27b02d..e94c265bd 100644 --- a/cyclonedx/schema/_res/spdx.SNAPSHOT.xsd +++ b/cyclonedx/schema/_res/spdx.SNAPSHOT.xsd @@ -2,7 +2,7 @@ + version="1.0-3.28.0"> @@ -57,6 +57,11 @@ Amazon Digital Services License + + + Advanced Cryptics Dictionary License + + Academic Free License v1.1 @@ -122,6 +127,11 @@ Aladdin Free Public License + + + ALGLIB Documentation License + + AMD newlib License @@ -327,6 +337,11 @@ Boehm-Demers-Weiser GC License (without fee) + + + Buena Onda License Agreement v1.1 + + Borceux license @@ -457,6 +472,11 @@ BSD 3-Clause Sun Microsystems + + + BSD 3-Clause Tso variant + + BSD 4-Clause "Original" or "Old" License @@ -497,6 +517,11 @@ BSD-Inferno-Nettverk + + + BSD Mark Modifications License + + BSD Protection License @@ -527,6 +552,11 @@ Boost Software License 1.0 + + + Buddy License + + Business Source License 1.1 @@ -567,6 +597,11 @@ Caldera License (without preamble) + + + Common Attack Pattern Enumeration and Classification License + + Catharon License @@ -1212,6 +1247,21 @@ Erlang Public License v1.1 + + + European Space Agency Public License – v2.4 – Permissive (Type 3) + + + + + European Space Agency Public License (ESA-PL) - V2.4 - Strong Copyleft (Type 1) + + + + + European Space Agency Public License – v2.4 – Weak Copyleft (Type 2) + + Etalab Open License 2.0 @@ -1737,6 +1787,11 @@ Historical Permission Notice and Disclaimer - sell variant + + + HPND - sell variant with safety critical systems clause + + HPND sell variant with MIT disclaimer @@ -1747,6 +1802,11 @@ HPND sell variant with MIT disclaimer - reverse + + + Historical Permission Notice and Disclaimer - SMC variant + + Historical Permission Notice and Disclaimer - University of California variant @@ -1762,6 +1822,11 @@ HTML Tidy License + + + hyphen-bulgarian License + + IBM PowerPC Initialization and Boot Software @@ -1852,6 +1917,11 @@ ISC Veillard variant + + + ISO permission notice + + Jam License @@ -2237,6 +2307,11 @@ MIT Open Group variant + + + MIT-STK License + + MIT testregex Variant @@ -2257,6 +2332,11 @@ MMIXware License + + + Minecraft Mod Public License v1.0.1 + + Motosoto License @@ -2422,6 +2502,11 @@ NIST Public Domain Notice with license fallback + + + NIST Public Domain Notice TNT variant + + NIST Software License @@ -2687,6 +2772,11 @@ Open Market License + + + OpenMDW License Agreement v1.0 + + OpenPBS v2.3 Software License @@ -2722,6 +2812,11 @@ Open Publication License v1.0 + + + OSC License 1.0 + + OSET Public License version 2.1 @@ -2752,11 +2847,21 @@ Open Software License 3.0 + + + OSSP License + + PADL License + + + ParaType Free Font Licensing Agreement v1.3 + + The Parity Public License 6.0.0 @@ -2977,6 +3082,11 @@ SGI OpenGL License + + + SGMLUG Parser Materials License + + SGP4 Permission Notice @@ -3162,6 +3272,11 @@ TCP Wrappers License + + + TekHVC License + + TermReadKey License @@ -3297,6 +3412,11 @@ Unlicense - libwhirlpool variant + + + UnRAR License + + Universal Permissive License v1.0 @@ -3312,6 +3432,11 @@ Vim License + + + Vixie Cron License + + VOSTROM Public License for Open Source @@ -3352,11 +3477,21 @@ Widget Workshop License + + + WordNet License + + Wsuipa License + + + Do What The F*ck You Want To But It's Not My Fault Public License + + Do What The F*ck You Want To Public License @@ -3382,6 +3517,11 @@ X11 License Distribution Modification Variant + + + X11 no permit persons clause + + X11 swapped final paragraphs @@ -3568,6 +3708,11 @@ Classpath exception 2.0 + + + Classpath exception 2.0 - short + + CLISP exception 2.0 @@ -3718,6 +3863,11 @@ KiCad Libraries Exception + + + kvirc OpenSSL Exception + + LGPL-3.0 Linking Exception @@ -3833,6 +3983,11 @@ RRDtool FLOSS exception 2.0 + + + rsync Linking Exception + + SANE Exception @@ -3848,6 +4003,16 @@ Solderpad Hardware License v2.1 + + + Simple Library Usage Exception + + + + + sqlitestudio OpenSSL exception + + stunnel Exception From e537812860bc7800ee6252524da2353bee71aba3 Mon Sep 17 00:00:00 2001 From: "cyclonedx-releases[bot]" <275040549+cyclonedx-releases[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 10:37:57 +0000 Subject: [PATCH 17/21] chore(release): 11.8.0 Automatically generated by python-semantic-release --- CHANGELOG.md | 18 ++++++++++++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86d6a8728..2f3f88de9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,24 @@ +## v11.8.0 (2026-06-04) + +### Documentation + +- Update CDX summary ([#951](https://github.com/CycloneDX/cyclonedx-python-lib/pull/951), + [`752b162`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/752b1620a23e319add81c505fe7197a2ae3cca06)) + +### Features + +- Add support CycloneDX 1.7.1 & 1.6.2 & 1.5.1 + ([#985](https://github.com/CycloneDX/cyclonedx-python-lib/pull/985), + [`303889b`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/303889ba2b47033ae693c1af8bff552664e1910c)) + +- Pull SPDX license IDs v1.1-3.28.0 + ([#986](https://github.com/CycloneDX/cyclonedx-python-lib/pull/986), + [`42ff044`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/42ff04444fa054d86da2302bc62e1bffd3b397df)) + + ## v11.7.0 (2026-03-17) ### Documentation diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index ff9bd20b3..db0caaa76 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.7.0" # noqa:Q000 +__version__ = "11.8.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index 31daedd81..10d3d1577 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.7.0' +release = '11.8.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index 13862476d..c08d78751 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.7.0" +version = "11.8.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ", From 5854695751e74853481d435a3662224ae6ecfc4f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jun 2026 09:00:03 +0200 Subject: [PATCH 18/21] chore(deps): bump snok/install-poetry from 1.4.1 to 1.4.2 (#990) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0d3e77499..4da1b27f9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -140,7 +140,7 @@ jobs: architecture: 'x64' - name: Install and configure Poetry # Seehttps://github.com/snok/install-poetry - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 + uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1.4.2 with: version: ${{ env.POETRY_VERSION }} virtualenvs-create: true From 2ce770fb1b337a97e3a0eb340f539ebc85902e17 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jun 2026 09:14:01 +0200 Subject: [PATCH 19/21] chore(deps): update m2r2 requirement from >=0.3.2 to >=0.3.4 (#970) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- docs/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/requirements.txt b/docs/requirements.txt index 8cd9cd5f9..d58ad4980 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,4 +1,4 @@ -m2r2>=0.3.2 +m2r2>=0.3.4 sphinx>=8,<9 sphinx-autoapi>=3,<4 sphinx-rtd-theme>=3,<4 From b50238102553dc215b08796ea914072294f69489 Mon Sep 17 00:00:00 2001 From: Johannes Feichtner <343448+Churro@users.noreply.github.com> Date: Mon, 8 Jun 2026 09:22:37 +0200 Subject: [PATCH 20/21] feat: add support for license expression details (#908) Signed-off-by: Johannes Feichtner Co-authored-by: Jan Kowalleck --- cyclonedx/model/license.py | 182 +++++++++++++++++- tests/_data/models.py | 22 ++- .../get_bom_with_licenses-1.0.xml.bin | 5 + .../get_bom_with_licenses-1.1.xml.bin | 7 + .../get_bom_with_licenses-1.2.json.bin | 14 ++ .../get_bom_with_licenses-1.2.xml.bin | 8 + .../get_bom_with_licenses-1.3.json.bin | 14 ++ .../get_bom_with_licenses-1.3.xml.bin | 8 + .../get_bom_with_licenses-1.4.json.bin | 13 ++ .../get_bom_with_licenses-1.4.xml.bin | 7 + .../get_bom_with_licenses-1.5.json.bin | 13 ++ .../get_bom_with_licenses-1.5.xml.bin | 7 + .../get_bom_with_licenses-1.6.json.bin | 14 ++ .../get_bom_with_licenses-1.6.xml.bin | 7 + .../get_bom_with_licenses-1.7.json.bin | 32 +++ .../get_bom_with_licenses-1.7.xml.bin | 15 ++ tests/test_model_license.py | 51 ++++- 17 files changed, 415 insertions(+), 4 deletions(-) diff --git a/cyclonedx/model/license.py b/cyclonedx/model/license.py index b6e36f571..6fed14b38 100644 --- a/cyclonedx/model/license.py +++ b/cyclonedx/model/license.py @@ -34,6 +34,7 @@ from .._internal.compare import ComparableTuple as _ComparableTuple from ..exception.model import MutuallyExclusivePropertiesException from ..exception.serialization import CycloneDxDeserializationException +from ..schema import SchemaVersion from ..schema.schema import SchemaVersion1Dot5, SchemaVersion1Dot6, SchemaVersion1Dot7 from . import AttachedText, Property, XsUri from .bom_ref import BomRef @@ -278,6 +279,123 @@ def __repr__(self) -> str: return f'' +@serializable.serializable_class(ignore_unknown_during_deserialization=True) +class LicenseExpressionDetails: + """ + This is our internal representation of the ``licenseExpressionDetailedType`` complex type that specifies the details + and attributes related to a software license identifier within a CycloneDX BOM document. + + .. note:: + Introduced in CycloneDX v1.7 + + + .. note:: + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_licenseExpressionDetailedType + """ + + def __init__( + self, license_identifier: str, *, + bom_ref: Optional[Union[str, BomRef]] = None, + text: Optional[AttachedText] = None, + url: Optional[XsUri] = None, + ) -> None: + self._bom_ref = _bom_ref_from_str(bom_ref) + self.license_identifier = license_identifier + self.text = text + self.url = url + + @property + @serializable.xml_name('license-identifier') + @serializable.xml_string(serializable.XmlStringSerializationType.NORMALIZED_STRING) + @serializable.xml_attribute() + def license_identifier(self) -> str: + """ + A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. + This field serves as the primary key, which uniquely identifies each record. + + Example values: + - "Apache-2.0", + - "GPL-3.0-only WITH Classpath-exception-2.0" + - "LicenseRef-my-custom-license" + + Returns: + `str` + """ + return self._license_identifier + + @license_identifier.setter + def license_identifier(self, license_identifier: str) -> None: + self._license_identifier = license_identifier + + @property + @serializable.json_name('bom-ref') + @serializable.type_mapping(BomRef) + @serializable.xml_attribute() + @serializable.xml_name('bom-ref') + def bom_ref(self) -> BomRef: + """ + An identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be + unique within the BOM. + Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links. + + Returns: + `BomRef` + """ + return self._bom_ref + + @property + @serializable.xml_sequence(1) + def text(self) -> Optional[AttachedText]: + """ + A way to include the textual content of the license. + + Returns: + `AttachedText` else `None` + """ + return self._text + + @text.setter + def text(self, text: Optional[AttachedText]) -> None: + self._text = text + + @property + @serializable.xml_sequence(2) + def url(self) -> Optional[XsUri]: + """ + The URL to the license file. If specified, a 'license' externalReference should also be specified for + completeness. + + Returns: + `XsUri` or `None` + """ + return self._url + + @url.setter + def url(self, url: Optional[XsUri]) -> None: + self._url = url + + def __comparable_tuple(self) -> _ComparableTuple: + return _ComparableTuple(( + self.bom_ref.value, self.license_identifier, self.url, self.text, + )) + + def __eq__(self, other: object) -> bool: + if isinstance(other, LicenseExpressionDetails): + return self.__comparable_tuple() == other.__comparable_tuple() + return False + + def __lt__(self, other: object) -> bool: + if isinstance(other, LicenseExpressionDetails): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + + def __hash__(self) -> int: + return hash(self.__comparable_tuple()) + + def __repr__(self) -> str: + return f'' + + @serializable.serializable_class( name='expression', ignore_unknown_during_deserialization=True @@ -296,10 +414,12 @@ def __init__( self, value: str, *, bom_ref: Optional[Union[str, BomRef]] = None, acknowledgement: Optional[LicenseAcknowledgement] = None, + details: Optional[Iterable[LicenseExpressionDetails]] = None, ) -> None: self._bom_ref = _bom_ref_from_str(bom_ref) self._value = value self._acknowledgement = acknowledgement + self.details = details or [] @property @serializable.view(SchemaVersion1Dot5) @@ -362,11 +482,30 @@ def acknowledgement(self) -> Optional[LicenseAcknowledgement]: def acknowledgement(self, acknowledgement: Optional[LicenseAcknowledgement]) -> None: self._acknowledgement = acknowledgement + @property + @serializable.json_name('expressionDetails') + @serializable.view(SchemaVersion1Dot7) + @serializable.xml_array(serializable.XmlArraySerializationType.FLAT, child_name='details') + @serializable.xml_sequence(1) + def details(self) -> 'SortedSet[LicenseExpressionDetails]': + """ + Details for parts of the expression. + + Returns: + Set of `LicenseExpressionDetails` + """ + return self._details + + @details.setter + def details(self, details: Iterable[LicenseExpressionDetails]) -> None: + self._details = SortedSet(details) + def __comparable_tuple(self) -> _ComparableTuple: return _ComparableTuple(( self._acknowledgement, self._value, self._bom_ref.value, + _ComparableTuple(self.details), )) def __hash__(self) -> int: @@ -431,6 +570,38 @@ class LicenseRepository(SortedSet): class _LicenseRepositorySerializationHelper(serializable.helpers.BaseHelper): """ THIS CLASS IS NON-PUBLIC API """ + @staticmethod + def __supports_expression_details(view: Any) -> bool: + try: + return view is not None and view().schema_version_enum >= SchemaVersion.V1_7 + except Exception: # pragma: no cover + return False + + @staticmethod + def __xml_normalize_license_expression_detailed( + license_expression: LicenseExpression, + view: Optional[type[serializable.ViewType]], + xmlns: Optional[str] + ) -> Element: + elem: Element = license_expression.as_xml( # type:ignore[attr-defined] + view_=view, as_string=False, element_name='expression-detailed', xmlns=xmlns) + elem.set(f'{{{xmlns}}}expression' if xmlns else 'expression', license_expression.value) + elem.text = None + return elem + + @staticmethod + def __xml_denormalize_license_expression_detailed( + li: Element, + default_ns: Optional[str] + ) -> LicenseExpression: + expression_value = li.get('expression') + if not expression_value: + raise CycloneDxDeserializationException(f'unexpected content: {li!r}') + license_expression: LicenseExpression = LicenseExpression.from_xml( # type:ignore[attr-defined] + li, default_ns) + license_expression.value = expression_value + return license_expression + @classmethod def json_normalize(cls, o: LicenseRepository, *, view: Optional[type[serializable.ViewType]], @@ -482,8 +653,13 @@ def xml_normalize(cls, o: LicenseRepository, *, # mixed license expression and license? this is an invalid constellation according to schema! # see https://github.com/CycloneDX/specification/pull/205 # but models need to allow it for backwards compatibility with JSON CDX < 1.5 - elem.append(expression.as_xml( # type:ignore[attr-defined] - view_=view, as_string=False, element_name='expression', xmlns=xmlns)) + if expression.details and cls.__supports_expression_details(view): + elem.append(cls.__xml_normalize_license_expression_detailed(expression, view, xmlns)) + else: + if expression.details: + warn('LicenseExpression details are not supported in schema versions < 1.7; skipping serialization') + elem.append(expression.as_xml( # type:ignore[attr-defined] + view_=view, as_string=False, element_name='expression', xmlns=xmlns)) else: elem.extend( li.as_xml( # type:ignore[attr-defined] @@ -506,6 +682,8 @@ def xml_denormalize(cls, o: Element, elif tag == 'expression': repo.add(LicenseExpression.from_xml( # type:ignore[attr-defined] li, default_ns)) + elif tag == 'expression-detailed': + repo.add(cls.__xml_denormalize_license_expression_detailed(li, default_ns)) else: raise CycloneDxDeserializationException(f'unexpected: {li!r}') return repo diff --git a/tests/_data/models.py b/tests/_data/models.py index 55a5cdb9a..8c6e89342 100644 --- a/tests/_data/models.py +++ b/tests/_data/models.py @@ -97,7 +97,13 @@ ImpactAnalysisState, ) from cyclonedx.model.issue import IssueClassification, IssueType, IssueTypeSource -from cyclonedx.model.license import DisjunctiveLicense, License, LicenseAcknowledgement, LicenseExpression +from cyclonedx.model.license import ( + DisjunctiveLicense, + License, + LicenseAcknowledgement, + LicenseExpression, + LicenseExpressionDetails, +) from cyclonedx.model.lifecycle import LifecyclePhase, NamedLifecycle, PredefinedLifecycle from cyclonedx.model.release_note import ReleaseNotes from cyclonedx.model.service import Service @@ -1061,6 +1067,15 @@ def get_vulnerability_source_owasp() -> VulnerabilitySource: def get_bom_with_licenses() -> Bom: + expression_details = [ + LicenseExpressionDetails(license_identifier='GPL-3.0-or-later', + url=XsUri('https://www.apache.org/licenses/LICENSE-2.0.txt'), + text=AttachedText(content='specific GPL-3.0-or-later license text')), + LicenseExpressionDetails(license_identifier='GPL-2.0', + bom_ref='some-bomref-1234', + text=AttachedText(content='specific GPL-2.0 license text')), + ] + return _make_bom( metadata=BomMetaData( licenses=[DisjunctiveLicense(id='CC-BY-1.0')], @@ -1090,6 +1105,11 @@ def get_bom_with_licenses() -> Bom: DisjunctiveLicense(name='some other license', properties=[Property(name='myname', value='proprietary')]), ]), + Component(name='c-with-expression-details', type=ComponentType.LIBRARY, bom_ref='C5', + licenses=[LicenseExpression(value='GPL-3.0-or-later OR GPL-2.0', + details=expression_details, + acknowledgement=LicenseAcknowledgement.DECLARED + )]), ], services=[ Service(name='s-with-expression', bom_ref='S1', diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.0.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.0.xml.bin index 89f5c8166..493a4f2e1 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.0.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.0.xml.bin @@ -11,6 +11,11 @@ false + + c-with-expression-details + + false + c-with-license-properties diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.1.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.1.xml.bin index 5519f41aa..4dad40232 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.1.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.1.xml.bin @@ -18,6 +18,13 @@ Apache-2.0 OR MIT + + c-with-expression-details + + + GPL-3.0-or-later OR GPL-2.0 + + c-with-license-properties diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.2.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.2.json.bin index e016afff5..395d9c7f9 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.2.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.2.json.bin @@ -25,6 +25,17 @@ "type": "library", "version": "" }, + { + "bom-ref": "C5", + "licenses": [ + { + "expression": "GPL-3.0-or-later OR GPL-2.0" + } + ], + "name": "c-with-expression-details", + "type": "library", + "version": "" + }, { "bom-ref": "C4", "licenses": [ @@ -83,6 +94,9 @@ { "ref": "C4" }, + { + "ref": "C5" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.2.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.2.xml.bin index 85a4054ed..79bb5d13a 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.2.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.2.xml.bin @@ -30,6 +30,13 @@ Apache-2.0 OR MIT + + c-with-expression-details + + + GPL-3.0-or-later OR GPL-2.0 + + c-with-license-properties @@ -92,6 +99,7 @@ + diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.3.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.3.json.bin index 46c9b296d..29d462f47 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.3.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.3.json.bin @@ -25,6 +25,17 @@ "type": "library", "version": "" }, + { + "bom-ref": "C5", + "licenses": [ + { + "expression": "GPL-3.0-or-later OR GPL-2.0" + } + ], + "name": "c-with-expression-details", + "type": "library", + "version": "" + }, { "bom-ref": "C4", "licenses": [ @@ -83,6 +94,9 @@ { "ref": "C4" }, + { + "ref": "C5" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.3.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.3.xml.bin index 5a5ab04d0..700731256 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.3.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.3.xml.bin @@ -35,6 +35,13 @@ Apache-2.0 OR MIT + + c-with-expression-details + + + GPL-3.0-or-later OR GPL-2.0 + + c-with-license-properties @@ -97,6 +104,7 @@ + diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.4.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.4.json.bin index c084a6934..15e7590d6 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.4.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.4.json.bin @@ -23,6 +23,16 @@ "name": "c-with-expression", "type": "library" }, + { + "bom-ref": "C5", + "licenses": [ + { + "expression": "GPL-3.0-or-later OR GPL-2.0" + } + ], + "name": "c-with-expression-details", + "type": "library" + }, { "bom-ref": "C4", "licenses": [ @@ -79,6 +89,9 @@ { "ref": "C4" }, + { + "ref": "C5" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.4.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.4.xml.bin index 7a3131097..35c8a991d 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.4.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.4.xml.bin @@ -32,6 +32,12 @@ Apache-2.0 OR MIT + + c-with-expression-details + + GPL-3.0-or-later OR GPL-2.0 + + c-with-license-properties @@ -92,6 +98,7 @@ + diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.5.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.5.json.bin index b4d897131..c9d8f6dca 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.5.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.5.json.bin @@ -23,6 +23,16 @@ "name": "c-with-expression", "type": "library" }, + { + "bom-ref": "C5", + "licenses": [ + { + "expression": "GPL-3.0-or-later OR GPL-2.0" + } + ], + "name": "c-with-expression-details", + "type": "library" + }, { "bom-ref": "C4", "licenses": [ @@ -95,6 +105,9 @@ { "ref": "C4" }, + { + "ref": "C5" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.5.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.5.xml.bin index 4cb534ccc..56f1b96e0 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.5.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.5.xml.bin @@ -32,6 +32,12 @@ Apache-2.0 OR MIT + + c-with-expression-details + + GPL-3.0-or-later OR GPL-2.0 + + c-with-license-properties @@ -99,6 +105,7 @@ + diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.6.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.6.json.bin index e626d7bbb..c53e33543 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.6.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.6.json.bin @@ -25,6 +25,17 @@ "name": "c-with-expression", "type": "library" }, + { + "bom-ref": "C5", + "licenses": [ + { + "acknowledgement": "declared", + "expression": "GPL-3.0-or-later OR GPL-2.0" + } + ], + "name": "c-with-expression-details", + "type": "library" + }, { "bom-ref": "C4", "licenses": [ @@ -97,6 +108,9 @@ { "ref": "C4" }, + { + "ref": "C5" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.6.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.6.xml.bin index 527a1ce3a..2c513c611 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.6.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.6.xml.bin @@ -32,6 +32,12 @@ Apache-2.0 OR MIT + + c-with-expression-details + + GPL-3.0-or-later OR GPL-2.0 + + c-with-license-properties @@ -99,6 +105,7 @@ + diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin index 4f5e710ab..7a24d9850 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin @@ -25,6 +25,35 @@ "name": "c-with-expression", "type": "library" }, + { + "bom-ref": "C5", + "licenses": [ + { + "acknowledgement": "declared", + "expressionDetails": [ + { + "bom-ref": "some-bomref-1234", + "licenseIdentifier": "GPL-2.0", + "text": { + "content": "specific GPL-2.0 license text", + "contentType": "text/plain" + } + }, + { + "licenseIdentifier": "GPL-3.0-or-later", + "text": { + "content": "specific GPL-3.0-or-later license text", + "contentType": "text/plain" + }, + "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" + } + ], + "expression": "GPL-3.0-or-later OR GPL-2.0" + } + ], + "name": "c-with-expression-details", + "type": "library" + }, { "bom-ref": "C4", "licenses": [ @@ -97,6 +126,9 @@ { "ref": "C4" }, + { + "ref": "C5" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin index 8b28e1972..c5687615a 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin @@ -32,6 +32,20 @@ Apache-2.0 OR MIT + + c-with-expression-details + + +
+ specific GPL-2.0 license text +
+
+ specific GPL-3.0-or-later license text + https://www.apache.org/licenses/LICENSE-2.0.txt +
+ + + c-with-license-properties @@ -99,6 +113,7 @@ + diff --git a/tests/test_model_license.py b/tests/test_model_license.py index a21b8741e..3ea2b1e38 100644 --- a/tests/test_model_license.py +++ b/tests/test_model_license.py @@ -22,7 +22,7 @@ from cyclonedx.exception.model import MutuallyExclusivePropertiesException from cyclonedx.model import AttachedText, Property, XsUri -from cyclonedx.model.license import DisjunctiveLicense, LicenseExpression +from cyclonedx.model.license import DisjunctiveLicense, LicenseExpression, LicenseExpressionDetails from tests import reorder @@ -105,12 +105,29 @@ def test_create(self) -> None: license = LicenseExpression('foo') self.assertEqual('foo', license.value) + def test_create_with_expression_details(self) -> None: + details = [ + LicenseExpressionDetails('qux'), + LicenseExpressionDetails('baz') + ] + b = LicenseExpression('bar', details=details) + self.assertListEqual(sorted(details), list(b.details)) + def test_update(self) -> None: license = LicenseExpression('foo') self.assertEqual('foo', license.value) license.value = 'bar' self.assertEqual('bar', license.value) + def test_update_expression_details(self) -> None: + details = [ + LicenseExpressionDetails('qux'), + LicenseExpressionDetails('baz') + ] + b = LicenseExpression('bar', details=[details[0]]) + b.details.add(details[1]) + self.assertListEqual(sorted(details), list(b.details)) + def test_equal(self) -> None: a = LicenseExpression('foo') b = LicenseExpression('foo') @@ -119,6 +136,16 @@ def test_equal(self) -> None: self.assertNotEqual(a, c) self.assertNotEqual(a, 'foo') + def test_equal_with_expression_details(self) -> None: + a = LicenseExpression('foo') + b = LicenseExpression('foo') + c = LicenseExpression('bar') + d = LicenseExpression('bar', details=[LicenseExpressionDetails('baz')]) + self.assertEqual(a, b) + self.assertNotEqual(a, c) + self.assertNotEqual(a, 'foo') + self.assertNotEqual(c, d) + class TestModelLicense(TestCase): @@ -133,3 +160,25 @@ def test_sort_mixed(self) -> None: shuffle(licenses) sorted_licenses = sorted(licenses) self.assertListEqual(sorted_licenses, expected_licenses) + + +class TestModelLicenseExpressionDetails(TestCase): + def test_equal(self) -> None: + a = LicenseExpressionDetails(license_identifier='MIT') + b = LicenseExpressionDetails(license_identifier='MIT') + c = LicenseExpressionDetails(license_identifier='MIT', text=AttachedText(content='some text')) + self.assertEqual(a, b) + self.assertNotEqual(a, c) + + def test_sort(self) -> None: + expected_order = [0, 3, 2, 1] + details = [ + LicenseExpressionDetails(license_identifier='Apache-2.0'), + LicenseExpressionDetails(license_identifier='MIT'), + LicenseExpressionDetails(license_identifier='MIT'), + LicenseExpressionDetails(license_identifier='GPL-3.0'), + ] + expected_details = reorder(details, expected_order) + shuffle(details) + sorted_details = sorted(details) + self.assertListEqual(sorted_details, expected_details) From 150777e13421c2838b27ff926653e24094d3f75d Mon Sep 17 00:00:00 2001 From: "cyclonedx-releases[bot]" <275040549+cyclonedx-releases[bot]@users.noreply.github.com> Date: Mon, 8 Jun 2026 07:32:01 +0000 Subject: [PATCH 21/21] chore(release): 11.9.0 Automatically generated by python-semantic-release --- CHANGELOG.md | 9 +++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f3f88de9..920b48401 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ +## v11.9.0 (2026-06-08) + +### Features + +- Add support for license expression details + ([#908](https://github.com/CycloneDX/cyclonedx-python-lib/pull/908), + [`b502381`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/b50238102553dc215b08796ea914072294f69489)) + + ## v11.8.0 (2026-06-04) ### Documentation diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index db0caaa76..e23b280ae 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.8.0" # noqa:Q000 +__version__ = "11.9.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index 10d3d1577..ba082befa 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.8.0' +release = '11.9.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index c08d78751..be66740b7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.8.0" +version = "11.9.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ",