cyclonedx-python-lib 6.0 and above breaks pip-audit

[neilkk]

$ python -c "from cyclonedx.parser import BaseParser"
Traceback (most recent call last):
File "", line 1, in
ModuleNotFoundError: No module named 'cyclonedx.parser'

Removal PR below:
CycloneDX/cyclonedx-python-lib#489

[woodruffw]

Thanks for the report @neilkk!

This strongly suggests an upstream semver breakage. I'll continue to diagnose. This now suggests either a user error or an outdated pip-audit version. We need more information to continue to triage.

(Could you please follow the bug report template for this issue and future ones? It makes our triaging efforts significantly easier. In particular, it would help to know which specific CycloneDX version you're using.)

[woodruffw]

From a quick look, our current imports don't contain BaseParser or cyclonedx.parser:

pip-audit/pip_audit/_format/cyclonedx.py

Lines 10 to 13 in 88a3f8c

	from cyclonedx import output
	from cyclonedx.model.bom import Bom
	from cyclonedx.model.component import Component
	from cyclonedx.model.vulnerability import Vulnerability

We've supported 6.0+ since #715, which was merged in v2.7.0: https://github.com/pypa/pip-audit/releases/tag/v2.7.0

As such, this is almost certainly not a bug in current versions of pip-audit.

[neilkk]

Sorry for the confusion, looks like we were running pip-audit v2.5.1