feat!: v8.0.0 (#665)

### BREAKING Changes

* Removed `cyclonedx.mode.ThisTool`, utilize `cyclonedx.builder.this.this_tool()` instead. 
* Moved `cyclonedx.model.Tool` to `cyclonedx.model.tool.Tool`.
* Property `cyclonedx.mode.bom.BomMetaData.tools` is of type `cyclonedx.model.tool.ToolRepository` now, was `SortedSet[cyclonedx.model.Tool]`.  
  The getter will act accordingly; the setter might act in a backwards-compatible way.
* Property `cyclonedx.mode.vulnerability.Vulnerability.tools` is of type `cyclonedx.model.tool.ToolRepository` now, was `SortedSet[cyclonedx.model.Tool]`.  
  The getter will act accordingly; the setter might act in a backwards-compatible way.
* Constructor `cyclonedx.model.license.LicenseExpression()` accepts optional argument `acknowledgement` only as key-word argument, no longer as positional argument.  
  

### Changes

* Constructor of `cyclonedx.model.bom.BomMetaData` also accepts an instance of `cyclonedx.model.tool.ToolRepository` for argument `tools`.
* Constructor of `cyclonedx.model.bom.BomMetaData` no longer adds this very library as a tool.  
  Downstream users SHOULD add it manually, like `my-bom.metadata.tools.components.add(cyclonedx.builder.this.this_component())`. 

### Fixes

* Deserialization of CycloneDX that do not include tools in the metadata are no longer unexpectedly modified/altered.

### Added

Enabled Metadata Tools representation and serialization in accordance with CycloneDX 1.5 

* New class `cyclonedx.model.tool.ToolRepository`.
* New function `cyclonedx.builder.this.this_component()` -- representation of this very python library as a `Component`.
* New function `cyclonedx.builder.this.this_tool()` -- representation of this very python library as a `Tool`.
* New function `cyclonedx.model.tool.Tool.from_component()`.

### Dependencies

* Raised runtime dependency `py-serializable>=1.1.1,<2`, was `>=1.1.0,<2`.

---------

Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Joshua Kugler <[email protected]>
Signed-off-by: semantic-release <[email protected]>
Co-authored-by: Joshua Kugler <[email protected]>
Co-authored-by: semantic-release <[email protected]>

Author: 3 people

CHANGELOG.md

@@ -1,6 +1,29 @@
 # CHANGELOG
 
 
+## Unreleased
+
+### Documentation
+
+* docs(chaneglog): omit chore/ci/refactor/style/test/build (#703)
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`a210809`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/a210809efb34c2dc895fc0c6d96a3412a9097625))
+
+* docs: rephrase migration paths
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`b0260a7`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/b0260a7d45bc3e099b979001049a8c5a67b97634))
+
+### Unknown
+
+* Merge remote-tracking branch 'origin/main' into 8.0.0-dev ([`b9a33e6`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/b9a33e614a84ba4a6546a1907b70a0cbfee8cd6f))
+
+* rework tools xml deserializer (#700)
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`1a24ee6`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/1a24ee6a0853e535465f85c6380971948281ad6e))
+
+* Merge remote-tracking branch 'origin/main' into 8.0.0-dev ([`4c57fa1`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/4c57fa156516de07cdd4acd3f3057c0b20d108d7))
+
+
 
 ## v7.6.2 (2024-10-07)
 
@@ -20,9 +43,126 @@ fixes #690
 
 Signed-off-by: Jan Kowalleck <[email protected]> ([`d8b20bd`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/d8b20bdc5224ea30cf767f6f3f1a6f8ff2754973))
 
+### Unknown
+
+* docs
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`68c681d`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/68c681d46c85230a97c4058de97400f3d93119f5))
+
+
+## v8.0.0-rc.2 (2024-09-27)
+
+### Fix
+
+* fix: ToolRepository serialize migrated tools deduplicated (#686)
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`35ccdd1`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/35ccdd1bfec9757457763308d16e1dbf5d9e28e9))
+
+### Unknown
+
+* docs
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`2e16408`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/2e16408098a3c649b80fb407d4f43aaa34aee39f))
+
+* rename `ToolsRepository` -> `ToolRepository` (#687)
+
+Item class of repository is to be called in singular(`Tool`).
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`e00af17`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/e00af1739fa6d3933315e96266d96d9b290012ee))
+
+
+## v8.0.0-rc.1 (2024-09-25)
+
+### Documentation
+
+* docs: migrate to v8.0.0 (#684)
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`0ac84d7`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/0ac84d76f2e526f329937ab004480405492e7417))
+
+### Fix
+
+* fix: assert copyright headers
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`bef268b`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/bef268b7abe2c3f343274d7789906c99c80e9df9))
+
+### Unknown
+
+* Merge branch 'main' into 8.0.0-dev
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`39514b3`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/39514b331eef98fbf5208ead341060831f8acddf))
+
+* Merge branch 'main' into 8.0.0-dev ([`c123aff`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/c123aff4bd479ec0f5f1982725ffe8901afb87c9))
+
 
 ## v7.6.1 (2024-09-18)
 
+### Breaking
+
+* feat!: this-builder (#649)
+
+reworked `ThisTool` for #635
+
+---------
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`cf5d2c7`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/cf5d2c7e43883967c5d5837f465ecac5a8cc034e))
+
+* refactor!: `LicenseExpression()` optional args are named args (#595)
+
+fixes #594
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`0172564`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/0172564d5f9529e7ce543da434969b552833de31))
+
+* feat!: Add component and services for tools (#635)
+
+CycloneDX spec 1.5 deprecated an array of tools in bom.metadata and
+instead prefers object with an array of components and an array of
+services.
+
+This PR implements that.
+
+This works de-serializing a Syft SBOM with a tool section like so:
+```
+  "metadata": {
+    "timestamp": "2024-06-10T13:06:52-08:00",
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "author": "anchore",
+          "name": "syft",
+          "version": "1.4.1"
+        }
+      ]
+    },
+    "component": {
+      "bom-ref": "08329a07b4eb8eac",
+      "type": "file",
+      "name": "./"
+    }
+  },
+```
+Next up: docs, XML (de)serialization code, and tests.
+
+fixes #561
+
+---------
+
+Signed-off-by: Joshua Kugler <[email protected]>
+Signed-off-by: Jan Kowalleck <[email protected]>
+Co-authored-by: Jan Kowalleck <[email protected]> ([`1f5fd7a`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/1f5fd7a6be94d93d2260622d39ea01cd74614402))
+
+* feat!: 8.0.0
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`9ba4b8e`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/9ba4b8e5d255c8dba51df214786328bfa700291c))
+
+### Feature
+
+* feat: don't add self to `metafata.tools` (#674)
+
+fixes #673
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`e0a153f`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/e0a153fbd553dcf29343d72e361c1cc9122c63b4))
+
 ### Fix
 
 * fix: file copyright headers (#676)
@@ -33,6 +173,16 @@ correct headers
 
 Signed-off-by: Jan Kowalleck <[email protected]> ([`35e00b4`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/35e00b4ee5a9306b9e97b011025409bcbfcef309))
 
+### Unknown
+
+* Merge branch 'main' into 8.0.0-dev ([`3d1548a`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/3d1548abf5db45764a22fcca96493574f96ff693))
+
+* Merge branch 'main' into 8.0.0-dev
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`735c800`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/735c8003ce88b0c6efa802ccd806f17d22b4df89))
+
+* Merge branch 'main' into 8.0.0-dev ([`0ec785d`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/0ec785d29abcc215a5a0f6feec9bf16b0994cc92))
+
 
 ## v7.6.0 (2024-08-14)
 

cyclonedx/__init__.py

@@ -22,4 +22,4 @@
 
 # !! version is managed by semantic_release
 # do not use typing here, or else `semantic_release` might have issues finding the variable
-__version__ = "7.6.2"  # noqa:Q000
+__version__ = "8.0.0-rc.2"  # noqa:Q000

cyclonedx/builder/__init__.py

@@ -0,0 +1,20 @@
+# This file is part of CycloneDX Python Library
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+"""
+Builders used in this library.
+"""

cyclonedx/builder/this.py

@@ -0,0 +1,83 @@
+# This file is part of CycloneDX Python Library
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+"""Representation of this very python library."""
+
+__all__ = ['this_component', 'this_tool', ]
+
+from .. import __version__ as __ThisVersion  # noqa: N812
+from ..model import ExternalReference, ExternalReferenceType, XsUri
+from ..model.component import Component, ComponentType
+from ..model.license import DisjunctiveLicense, LicenseAcknowledgement
+from ..model.tool import Tool
+
+# !!! keep this file in sync with `pyproject.toml`
+
+
+def this_component() -> Component:
+    """Representation of this very python library as a :class:`Component`."""
+    return Component(
+        type=ComponentType.LIBRARY,
+        group='CycloneDX',
+        name='cyclonedx-python-lib',
+        version=__ThisVersion or 'UNKNOWN',
+        description='Python library for CycloneDX',
+        licenses=(DisjunctiveLicense(id='Apache-2.0',
+                                     acknowledgement=LicenseAcknowledgement.DECLARED),),
+        external_references=(
+            # let's assume this is not a fork
+            ExternalReference(
+                type=ExternalReferenceType.WEBSITE,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/#readme')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.DOCUMENTATION,
+                url=XsUri('https://cyclonedx-python-library.readthedocs.io/')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.VCS,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.BUILD_SYSTEM,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/actions')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.ISSUE_TRACKER,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/issues')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.LICENSE,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE')
+            ),
+            ExternalReference(
+                type=ExternalReferenceType.RELEASE_NOTES,
+                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md')
+            ),
+            # we cannot assert where the lib was fetched from, but we can give a hint
+            ExternalReference(
+                type=ExternalReferenceType.DISTRIBUTION,
+                url=XsUri('https://pypi.org/project/cyclonedx-python-lib/')
+            ),
+        ),
+        # to be extended...
+    )
+
+
+def this_tool() -> Tool:
+    """Representation of this very python library as a :class:`Tool`."""
+    return Tool.from_component(this_component())