hotfix(sbom): accept any CycloneDX 1.x; surface cyclonedx-py stderr#269
Conversation
v0.14.1 publish run #2 still failed at SBOM gen — the previous hotfix added `--schema-version 1.5` to the cyclonedx-py command but cyclonedx-py 7.x rejected the flag with exit code 2 (argparse error, "command-line usage error"). Stderr was captured but never printed, so the actual error message was invisible from the publish workflow log. This commit: 1. Drops the `--schema-version` flag entirely. cyclonedx-py emits whichever CycloneDX 1.x revision is its default (currently 1.6). 2. Loosens the validator from `specVersion == "1.5"` to `specVersion` starts with "1.". CycloneDX is forward-compatible within 1.x; every consumer that reads 1.5 reads 1.6. 3. On `subprocess.CalledProcessError`, prints the captured stderr to our own stderr before re-raising. Future CLI-flag drift becomes diagnosable from the workflow log without re-running. 4. Module docstring updated — title is "CycloneDX SBOM emitter" (no 1.5 anymore), policy section explains the version drift fight. The contract reduction from "exact 1.5" to "any 1.x" is a deliberate trade for resilience against transitive `cyclonedx-bom` upgrades. If we ever need to pin to a specific spec version for compliance reasons, the right move is to pin `cyclonedx-bom` itself in pyproject.toml [release] extras and document the dependency-policy decision. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1 participant
v0.14.1 publish run #2 failed at SBOM gen — the prior hotfix's
--schema-version 1.5flag was rejected by cyclonedx-py 7.x with exit 2 (argparse error). Stderr was captured but invisible from the workflow log, so the actual error never surfaced. This commit: (1) drops the flag, (2) accepts any CycloneDX 1.x output (forward-compatible spec family), (3) prints captured stderr on subprocess failure for future-debuggability.