feat: add basic support for CDX 1.5 (#488)

This PR introduces basic support for CDX 1.5.

Ref:
- #404

**Schema:**

- Extended schema-downloader and added specification files,
- Adapted `README` and `SchemaVersion` for 1.5

**Model:**

- Added `SchemaVersion1Dot5`, serializable annotations,
- Extended `ComponentType` and `ExternalReferenceType` enums

**Tests:**

- Generated snapshots for 1.5.
- In some existing tests `bom-ref` changed, since 1.5 is now listed before 1.4

**Chore:**

-  Added `newline = '\n'` to schema-downloader and `writeSnapshot` for cross-platform support

----

* feat: add basic support for CDX 1.5

Signed-off-by: Johannes Feichtner <[email protected]>

* docs: note minversions of `HashAlgorithm` cases

Signed-off-by: Jan Kowalleck <[email protected]>

* docs: set ref after schema download

Signed-off-by: Jan Kowalleck <[email protected]>

* refactor: add the newly missing/TODO elements

Signed-off-by: Jan Kowalleck <[email protected]>

* docs: note minversions of `ComponentType` cases

Signed-off-by: Jan Kowalleck <[email protected]>

* refactor: adjust xml child order for CDX1.5

Signed-off-by: Jan Kowalleck <[email protected]>

* refactor: adjust xml child order for CDX1.5

Signed-off-by: Jan Kowalleck <[email protected]>

* docs: update to latest CDX meta

Signed-off-by: Jan Kowalleck <[email protected]>

* refactor: adjust xml child order for CDX1.5

Signed-off-by: Jan Kowalleck <[email protected]>

* feat: new enum cases fr VulnerabilityScoreSource

Signed-off-by: Jan Kowalleck <[email protected]>

* refactor: adjust xml child order for CDX1.5

Signed-off-by: Jan Kowalleck <[email protected]>

* tests: adjust to latest implementation

Signed-off-by: Jan Kowalleck <[email protected]>

* revert deletion by accident

Signed-off-by: Jan Kowalleck <[email protected]>

---------

Signed-off-by: Johannes Feichtner <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Co-authored-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>

Author: Churro

README.md

@@ -14,7 +14,8 @@
 ----
 
 This Python package can render and read valid [CycloneDX][link_website] documents.  
-CycloneDX is a lightweight BOM specification that is easily created, human-readable, and simple to parse.
+OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard
+that provides advanced supply chain capabilities for cyber risk reduction.
 
 **This module is not designed for standalone use.**
 

cyclonedx/model/__init__.py

@@ -30,7 +30,7 @@
     NoPropertiesProvidedException,
     UnknownHashTypeException,
 )
-from ..schema.schema import SchemaVersion1Dot3, SchemaVersion1Dot4
+from ..schema.schema import SchemaVersion1Dot3, SchemaVersion1Dot4, SchemaVersion1Dot5
 
 """
 Uniform set of models to represent objects within a CycloneDX software bill-of-materials.
@@ -113,6 +113,9 @@ class DataClassification:
     """
     This is our internal representation of the `dataClassificationType` complex type within the CycloneDX standard.
 
+    DataClassification might be deprecated since CycloneDX 1.5, but it is not deprecated in this library.
+    In fact, this library will try to provide a compatibility layer if needed.
+
     .. note::
         See the CycloneDX Schema for dataClassificationType:
         https://cyclonedx.org/docs/1.4/xml/#type_dataClassificationType
@@ -275,17 +278,17 @@ class HashAlgorithm(str, Enum):
         See the CycloneDX Schema: https://cyclonedx.org/docs/1.3/#type_hashAlg
     """
 
-    BLAKE2B_256 = 'BLAKE2b-256'
-    BLAKE2B_384 = 'BLAKE2b-384'
-    BLAKE2B_512 = 'BLAKE2b-512'
-    BLAKE3 = 'BLAKE3'
+    BLAKE2B_256 = 'BLAKE2b-256'  # Only supported in >= 1.2
+    BLAKE2B_384 = 'BLAKE2b-384'  # Only supported in >= 1.2
+    BLAKE2B_512 = 'BLAKE2b-512'  # Only supported in >= 1.2
+    BLAKE3 = 'BLAKE3'  # Only supported in >= 1.2
     MD5 = 'MD5'
     SHA_1 = 'SHA-1'
     SHA_256 = 'SHA-256'
     SHA_384 = 'SHA-384'
     SHA_512 = 'SHA-512'
     SHA3_256 = 'SHA3-256'
-    SHA3_384 = 'SHA3-384'
+    SHA3_384 = 'SHA3-384'  # Only supported in >= 1.2
     SHA3_512 = 'SHA3-512'
 
 
@@ -395,22 +398,45 @@ class ExternalReferenceType(str, Enum):
         See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.3/#type_externalReferenceType
     """
 
+    ADVERSARY_MODEL = 'adversary-model'  # Only supported in >= 1.5
     ADVISORIES = 'advisories'
+    ATTESTATION = 'attestation'  # Only supported in >= 1.5
     BOM = 'bom'
     BUILD_META = 'build-meta'
     BUILD_SYSTEM = 'build-system'
+    CERTIFICATION_REPORT = 'certification-report'  # Only supported in >= 1.5
     CHAT = 'chat'
+    CODIFIED_INFRASTRUCTURE = 'codified-infrastructure'  # Only supported in >= 1.5
+    COMPONENT_ANALYSIS_REPORT = 'component-analysis-report'  # Only supported in >= 1.5
+    CONFIGURATION = 'configuration'  # Only supported in >= 1.5
     DISTRIBUTION = 'distribution'
+    DISTRIBUTION_INTAKE = 'distribution-intake'  # Only supported in >= 1.5
     DOCUMENTATION = 'documentation'
+    DYNAMIC_ANALYSIS_REPORT = 'dynamic-analysis-report'  # Only supported in >= 1.5
+    EVIDENCE = 'evidence'  # Only supported in >= 1.5
+    EXPLOITABILITY_STATEMENT = 'exploitability-statement'  # Only supported in >= 1.5
+    FORMULATION = 'formulation'  # Only supported in >= 1.5
     ISSUE_TRACKER = 'issue-tracker'
     LICENSE = 'license'
+    LOG = 'log'  # Only supported in >= 1.5
     MAILING_LIST = 'mailing-list'
+    MATURITY_REPORT = 'maturity-report'  # Only supported in >= 1.5
+    MODEL_CARD = 'model-card'  # Only supported in >= 1.5
     OTHER = 'other'
+    PENTEST_REPORT = 'pentest-report'  # Only supported in >= 1.5
+    POAM = 'poam'  # Only supported in >= 1.5
+    QUALITY_METRICS = 'quality-metrics'  # Only supported in >= 1.5
     RELEASE_NOTES = 'release-notes'  # Only supported in >= 1.4
+    RISK_ASSESSMENT = 'risk-assessment'  # Only supported in >= 1.5
+    RUNTIME_ANALYSIS_REPORT = 'runtime-analysis-report'  # Only supported in >= 1.5
+    SECURITY_CONTACT = 'security-contact'  # Only supported in >= 1.5
+    STATIC_ANALYSIS_REPORT = 'static-analysis-report'  # Only supported in >= 1.5
     SOCIAL = 'social'
     SCM = 'vcs'
     SUPPORT = 'support'
+    THREAT_MODEL = 'threat-model'  # Only supported in >= 1.5
     VCS = 'vcs'
+    VULNERABILITY_ASSERTION = 'vulnerability-assertion'  # Only supported in >= 1.5
     WEBSITE = 'website'
 
 
@@ -541,6 +567,7 @@ def type(self, type: ExternalReferenceType) -> None:
     @property
     @serializable.view(SchemaVersion1Dot3)
     @serializable.view(SchemaVersion1Dot4)
+    @serializable.view(SchemaVersion1Dot5)
     @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'hash')
     def hashes(self) -> 'SortedSet[HashType]':
         """
@@ -974,7 +1001,10 @@ class Tool:
     """
     This is our internal representation of the `toolType` complex type within the CycloneDX standard.
 
-    Tool(s) are the things used in the creation of the BOM.
+    Tool(s) are the things used in the creation of the CycloneDX document.
+
+    Tool might be deprecated since CycloneDX 1.5, but it is not deprecated i this library.
+    In fact, this library will try to provide a compatibility layer if needed.
 
     .. note::
         See the CycloneDX Schema for toolType: https://cyclonedx.org/docs/1.3/#type_toolType
@@ -1052,6 +1082,7 @@ def hashes(self, hashes: Iterable[HashType]) -> None:
 
     @property
     @serializable.view(SchemaVersion1Dot4)
+    @serializable.view(SchemaVersion1Dot5)
     @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'reference')
     @serializable.xml_sequence(5)
     def external_references(self) -> 'SortedSet[ExternalReference]':