Merge branch 'main' into dependabot/github_actions/actions/checkout-4.2.2

Signed-off-by: Patrick Dwyer <[email protected]>

Author: coderpatros

.github/workflows/dotnetcore.yml

@@ -6,6 +6,9 @@ on: [pull_request, workflow_dispatch]
 env:
   SNAPSHOOTER_STRICT_MODE: true
 
+# see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   # Fail if there are build warnings
   #
@@ -14,37 +17,37 @@ jobs:
   # This can be done by running `dotnet clean` before running `dotnet build`
   build-warnings:
     name: Build warnings check
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     steps:
       - uses: actions/[email protected]
-      - uses: actions/setup-dotnet@v3.0.2
+      - uses: actions/setup-dotnet@v4.3.1
         with:
-          dotnet-version: '6.0'
+          dotnet-version: '8.0'
 
       - name: Build
         run: dotnet build /WarnAsError
 
   # We end up targeting a range of runtimes, make sure they all build
   build:
     name: Runtime build check
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
-        runtime: [linux-x64, linux-musl-x64, linux-arm, linux-arm64, win-x64, win-x86, win-arm, win-arm64, osx-x64, osx-arm64]
+        runtime: [linux-x64, linux-musl-x64, linux-arm, linux-arm64, win-x64, win-x86, win-arm64, osx-x64, osx-arm64]
     timeout-minutes: 30
     steps:
       - uses: actions/[email protected]
-      - uses: actions/setup-dotnet@v3.0.2
+      - uses: actions/setup-dotnet@v4.3.1
         with:
-          dotnet-version: '6.0'
+          dotnet-version: '8.0'
 
       - name: Build
         run: dotnet build src/cyclonedx/cyclonedx.csproj -r ${{ matrix.runtime }}
 
   # Fail if there are any failed tests
   #
-  # We support .NET 6.0 on Windows, Mac and Linux.
+  # We support .NET 8.0 on Windows, Mac and Linux.
   #
   # To check for failing tests locally run `dotnet test`.
   test:
@@ -59,9 +62,9 @@ jobs:
 
     steps:
     - uses: actions/[email protected]
-    - uses: actions/setup-dotnet@v3.0.2
+    - uses: actions/setup-dotnet@v4.3.1
       with:
-        dotnet-version: '6.0'
+        dotnet-version: '8.0'
 
     - name: SnapshooterHotfixSymlinkLinux    
       if: matrix.os == 'ubuntu-latest'
@@ -75,4 +78,4 @@ jobs:
     - name: Tests
       run: |
         dotnet restore
-        dotnet test --framework net6.0
+        dotnet test --framework net8.0

.github/workflows/release.yml

@@ -25,19 +25,25 @@ on:
 env:
   SNAPSHOOTER_STRICT_MODE: true
 
+# see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   release:
     name: Release
-    runs-on: ubuntu-20.04
+    permissions:
+      contents: write  # for git-push and creating a GH release and uploading release assets
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     outputs:
       # Used by the release-osx-arm64 job to upload the osx-arm64 binary
       release_upload_url: ${{ steps.create_release.outputs.upload_url }}
     steps:
       - uses: actions/[email protected]
-      - uses: actions/[email protected]
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
+      - uses: actions/[email protected]
         with:
-          dotnet-version: '6.0'
+          dotnet-version: '8.0'
       - name: SnapshooterHotfixSymlinkLinux    
         run: sudo ln -s "$GITHUB_WORKSPACE" /_
         shell: bash
@@ -47,27 +53,34 @@ jobs:
 
       # Create binaries
       - name: Create binaries
+        env:
+          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
         id: create_binaries
         run: |
           VERSION=`cat semver.txt`
           echo "##[set-output name=version;]$VERSION"
           REPO=cyclonedx/cyclonedx-cli
           dotnet build --configuration Release
           mkdir bin
-          for runtime in linux-x64 linux-musl-x64 linux-arm linux-arm64 win-x64 win-x86 win-arm win-arm64 osx-x64
+          for runtime in linux-x64 linux-musl-x64 linux-arm linux-arm64 win-x64 win-x86 win-arm64 osx-x64
           do
             dotnet publish src/cyclonedx/cyclonedx.csproj -r $runtime --configuration Release /p:Version=$VERSION --self-contained true /p:PublishSingleFile=true /p:IncludeNativeLibrariesInSingleFile=true /p:IncludeNativeLibrariesForSelfExtract=true --output bin/$runtime
           done
-          docker build -f Dockerfile --build-arg VERSION=$VERSION -t $REPO:$VERSION -t $REPO:latest .
-
-      - name: Publish Docker image to Docker Hub
-        env:
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: |
-          REPO=cyclonedx/cyclonedx-cli
+         
           docker login --username coderpatros --password "$DOCKER_TOKEN"
-          docker push $REPO:latest
-          docker push $REPO:${{ steps.create_binaries.outputs.version }}
+          docker buildx build \
+            --sbom=true \
+            --provenance mode=max,builder-id="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"  \
+            --annotation "org.opencontainers.image.url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"  \
+            --annotation "org.opencontainers.image.source=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"  \
+            --annotation "org.opencontainers.image.version=$VERSION"  \
+            --annotation "org.opencontainers.image.revision=$GITHUB_SHA"  \
+            --annotation "org.opencontainers.image.created=$(date -Iseconds)"              \
+            --build-arg VERSION=$VERSION  \
+            -t $REPO:$VERSION  \
+            -t $REPO:latest  \
+            --push \
+            -f Dockerfile .       
 
       - name: Create github release and git tag for release
         id: create_release
@@ -140,16 +153,6 @@ jobs:
           asset_name: cyclonedx-win-x86.exe
           asset_content_type: application/octet-stream
 
-      - name: Upload binary to github release
-        uses: actions/[email protected]
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: bin/win-arm/cyclonedx.exe
-          asset_name: cyclonedx-win-arm.exe
-          asset_content_type: application/octet-stream
-
       - name: Upload binary to github release
         uses: actions/[email protected]
         env:
@@ -175,13 +178,15 @@ jobs:
   release-osx-arm64:
     name: Release osx-arm64
     needs: release
+    permissions:
+      contents: write  # for uploading release assets
     runs-on: macos-latest
     timeout-minutes: 30
     steps:
       - uses: actions/[email protected]
-      - uses: actions/setup-dotnet@v3.0.2
+      - uses: actions/setup-dotnet@v4.3.1
         with:
-          dotnet-version: '6.0'
+          dotnet-version: '8.0'
 
       - name: Create binary
         run: |
@@ -204,4 +209,4 @@ jobs:
           upload_url: ${{ needs.release.outputs.release_upload_url }}
           asset_path: bin/osx-arm64/cyclonedx
           asset_name: cyclonedx-osx-arm64
-          asset_content_type: application/octet-stream
+          asset_content_type: application/octet-stream

Dockerfile

@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/dotnet/runtime-deps:6.0
+FROM mcr.microsoft.com/dotnet/runtime-deps:8.0
 
 ENV PATH=/:$PATH
 

README.md

@@ -333,7 +333,6 @@ Officially supported builds are available for these platforms:
 Community supported builds are available for these platforms:
 
 - Windows x86 (win-x86)
-- Windows ARM (win-arm)
 - Windows ARM x64 (win-arm64)
 - Linux ARM (linux-arm)
 - Linux ARM x64 (linux-arm64)
@@ -388,7 +387,7 @@ Permission to modify and redistribute is granted under the terms of the Apache 2
 Pull requests are welcome. But please read the
 [CycloneDX contributing guidelines](https://github.com/CycloneDX/.github/blob/master/CONTRIBUTING.md) first.
 
-To build and test the solution locally you should have .NET 6
+To build and test the solution locally you should have .NET 8
 installed. Standard commands like `dotnet build` and `dotnet test` work.
 
 It is generally expected that pull requests will include relevant tests.

semver.txt

@@ -1 +1 @@
-0.27.1
+0.29.0

src/cyclonedx/Commands/Add/AddFilesCommand.cs

@@ -29,6 +29,7 @@
 using AntPathMatching;
 using CycloneDX.Models;
 using CycloneDX.Cli.Commands;
+using System.CommandLine.NamingConventionBinder;
 
 namespace CycloneDX.Cli.Commands.Add
 {
@@ -44,8 +45,8 @@ public static void Configure(System.CommandLine.Command rootCommand)
             subCommand.Add(new Option<CycloneDXBomFormat>("--input-format", "Specify input file format."));
             subCommand.Add(new Option<CycloneDXBomFormat>("--output-format", "Specify output file format."));
             subCommand.Add(new Option<string>("--base-path", "Base path for directory to process (defaults to current working directory if omitted)."));
-            subCommand.Add(new Option<List<string>>("--include", "Apache Ant style path and file patterns to specify what to include (defaults to all files, separate patterns with a space)."));
-            subCommand.Add(new Option<List<string>>("--exclude", "Apache Ant style path and file patterns to specify what to exclude (defaults to none, separate patterns with a space)."));
+            subCommand.Add(new Option<List<string>>("--include", "Apache Ant style path and file patterns to specify what to include (defaults to all files, separate patterns with a space).") { AllowMultipleArgumentsPerToken = true});
+            subCommand.Add(new Option<List<string>>("--exclude", "Apache Ant style path and file patterns to specify what to exclude (defaults to none, separate patterns with a space).") { AllowMultipleArgumentsPerToken = true });
             subCommand.Handler = CommandHandler.Create<AddFilesCommandOptions>(AddFiles);
             rootCommand.Add(subCommand);
         }

src/cyclonedx/Commands/AnalyzeCommand.cs

@@ -17,6 +17,7 @@
 using System;
 using System.CommandLine;
 using System.CommandLine.Invocation;
+using System.CommandLine.NamingConventionBinder;
 using System.Text.Json;
 using System.Threading.Tasks;
 using CycloneDX.Cli.Models;

src/cyclonedx/Commands/ConvertCommand.cs

@@ -17,6 +17,7 @@
 using System;
 using System.CommandLine;
 using System.CommandLine.Invocation;
+using System.CommandLine.NamingConventionBinder;
 using System.Diagnostics.Contracts;
 using System.Threading.Tasks;
 using CycloneDX.Cli;

src/cyclonedx/Commands/DiffCommand.cs

@@ -17,6 +17,7 @@
 using System;
 using System.CommandLine;
 using System.CommandLine.Invocation;
+using System.CommandLine.NamingConventionBinder;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 using System.Threading.Tasks;

src/cyclonedx/Commands/KeyGenCommand.cs

@@ -17,6 +17,7 @@
 using System;
 using System.CommandLine;
 using System.CommandLine.Invocation;
+using System.CommandLine.NamingConventionBinder;
 using System.IO;
 using System.Security.Cryptography;
 using System.Threading.Tasks;
@@ -37,7 +38,7 @@ internal static void Configure(RootCommand rootCommand)
         public static async Task<int> KeyGen(KeyGenCommandOptions options)
         {
             Console.WriteLine("Generating new public/private key pair...");
-            using (RSA rsa = new RSACryptoServiceProvider(2048))
+            using (var rsa = new RSACryptoServiceProvider(2048))
             {
                 var publicKeyFilename = string.IsNullOrEmpty(options.PublicKeyFile) ? "public.key" : options.PublicKeyFile;
                 Console.WriteLine($"Saving public key to {publicKeyFilename}");