feat: validate CycloneDX documents #432
Comments
jkowalleck
changed the title
|
requirements:
|
|
reminder: we have schema validation already implemented in the tests. reminder: we already ship the schema files. |
|
this feature should be optional, so dependency bloat is minimized. this shall be documented in code and in other places. |
14 tasks
|
some features require py38. OOOOOOR since the deps are optional anyways, they can be marked as py-version-dependent ;-) |
Merged
This was referenced Sep 22, 2023
Closed
jkowalleck
added a commit
that referenced
this issue
Oct 24, 2023
BREAKING CHANGES ---------------- * Dropped support for python<3.8 ([#436] via [#441]; enable [#433]) * Reworked license related models, collections, and factories ([#365] via [#466]) * Behavior * Method `model.bom.Bom.validate()` will throw `exception.LicenseExpressionAlongWithOthersException`, if detecting invalid license constellation ([#453] via [#452]) * Fixed tuple comparison when unequal lengths (via [#461]) * API * Enum `schema.SchemaVersion` is no longer string-like ([#442] via [#447]) * Enum `schema.OutputVersion` is no longer string-like ([#442] via [#447]) * Abstract class `output.BaseOutput` requires implementation of new method `output_format` ([#446] via [#447]) * Abstract method `output.BaseOutput.output_as_string()` got new optional parameter `indent` ([#437] via [#458]) * Abstract method `output.BaseOutput.output_as_string()` accepts arbitrary kwargs (via [#458], [#462]) * Removed class `factory.license.LicenseChoiceFactory` (via [#466]) The old functionality was integrated into `factory.license.LicenseFactory`. * Method `factory.license.LicenseFactory.make_from_string()`'s parameter `name_or_spdx` was renamed to `value` (via [#466]) * Method `factory.license.LicenseFactory.make_from_string()`'s return value can also be a `LicenseExpression` ([#365] via [#466]) The behavior imitates the old `factory.license.LicenseChoiceFactory.make_from_string()` * Renamed class `module.License` to `module.license.DisjunctliveLicense` ([#365] via [#466]) * Removed class `module.LicenseChoice` ([#365] via [#466]) Use dedicated classes `module.license.DisjunctliveLicense` and `module.license.LicenseExpression` instead * All occurrences of `models.LicenseChoice` were replaced by `models.licenses.License` ([#365] via [#466]) * All occurrences of `SortedSet[LicenseChoice]` were specialized to `models.license.LicenseRepository` ([#365] via [#466]) Fixed ---------------- * Serialization of multy-licenses ([#365] via [#466]) * Detect unused "dependent" components in `model.bom.validate()` (via [#464]) Changed ---------------- * Updated latest supported list of supported SPDX license identifiers (via [#433]) * Shipped schema files are moved to a protected space (via [#433]) These files were never intended for public use. * XML output uses a default namespace, which makes results smaller. ([#438] via [#458]) Added ---------------- * Support for Python 3.12 (via [#460]) * JSON- & XML-Validators ([#432], [#446] via [#433], [#448]) The functionality might require additional dependencies, that can be installed with the extra "validation". See the docs in section "Installation" for details. * JSON & XML can be generated in a more human-friendly form ([#437], [#438] via [#458]) * Type hints, typings & overloads for better integration downstream (via [#463]) * API * New function `output.make_outputter()` (via [#469]) This replaces the deprecated function `output.get_instance()`. * New sub-package `validation` ([#432], [#446] via [#433], [#448], [#469], [#468], [#469]) * New class `exception.MissingOptionalDependencyException` ([#432] via [#433]) * New class `exception.LicenseExpressionAlongWithOthersException` ([#453] via [#452]) * New dictionaries `output.{json,xml}.BY_SCHEMA_VERSION` ([#446] via [#447]) * Existing implementations of class `output.BaseOutput` now have a new method `output_format` ([#446] via [#447]) * Existing implementations of method `output.BaseOutput.output_as_string()` got new optional parameter `indent` ([#437] via [#458]) * Existing implementations of method `output.BaseOutput.output_to_file()` got new optional parameter `indent` ([#437] via [#458]) * New method `factory.license.LicenseFactory.make_with_expression()` (via [#466]) * New class `model.license.DisjunctiveLicense` ([#365] via [#466]) * New class `model.license.LicenseExpression` ([#365] via [#466]) * New class `model.license.LicenseRepository` ([#365] via [#466]) * New class `serialization.LicenseRepositoryHelper` ([#365] via [#466]) Deprecated ---------------- * Function `output.get_instance()` might be removed, use `output.make_outputter()` instead (via [#469]) Tests ---------------- * Added validation tests with official CycloneDX schema test data ([#432] via [#433]) * Use proper snapshots, instead of pseudo comparison ([#437] via [#464]) * Added regression test for bug [#365] (via [#466], [#467]) Misc ---------------- * Dependencies: bumped `py-serializable@^0.15.0`, was `@^0.11.1` (via [#458], [#463], [#464], [#466]) * Style: streamlined quotes and strings (via [#472]) * Chore: bumped internal dev- and QA-tools ([#436] via [#441], [#472]) * Chore: added more QA tools to prevent common security issues (via [#473]) [#432]: #432 [#433]: #433 [#436]: #436 [#437]: #437 [#365]: #365 [#438]: #438 [#440]: #440 [#441]: #441 [#442]: #442 [#446]: #446 [#447]: #447 [#448]: #448 [#452]: #452 [#453]: #453 [#458]: #458 [#460]: #460 [#461]: #461 [#462]: #462 [#463]: #463 [#464]: #464 [#466]: #466 [#467]: #467 [#468]: #468 [#469]: #469 [#472]: #472 [#473]: #473 --------- Signed-off-by: Jan Kowalleck <[email protected]> Signed-off-by: Jan Kowalleck <[email protected]> Signed-off-by: semantic-release <semantic-release> Co-authored-by: semantic-release <semantic-release>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Need a way to validate that my SBOM output file correctly meets the specification based upon a specific specification version.
The text was updated successfully, but these errors were encountered: