Change default spec version to latest (1.6)

[XSpielinbox]

Is your feature request related to a problem? Please describe.

I'm always frustrated when I have to manually look up the newest version of the CycloneDX spec and specify it manually via the cli. Newer versions of the spec bring improvements and defaulting to old versions hinders adoption.

Describe the solution you'd like

It would be very nice, if the newest supported version would be the default, then one doesn't have to specify a spec version and nevertheless can use the latest and greatest version of CycloneDX.

Describe alternatives you've considered

Adopt a clear guideline on when to change the default to a new version, when not changing it directly, but rather e.g. 1 week/month/year after release of the new spec version.

Additional context

Version 1.4 (the current default) has been released on 12 January 2022, so it is over a two years old now and is the default for at least 1.5 years now.

Version 1.5 has been released on 26 June 2023, so is almost a year old now as well.

Version 1.6 has been released on 09 April 2024, so it is almost 2 weeks old now as well, but has been supported since over a month now.

Dependency Track works flawlessly with CycloneDX 1.6.

[jkowalleck]

Newer versions of the spec bring improvements and defaulting to old versions hinders adoption.

Changing de default values has no benefit for nobody in this case - it would not affect the SBOM result in no way. So I do not see your point here.

I am well aware of adopting new standards. But it took the CycloneDX community several months to adopt spec 1.5 when it came to ingesting the data.

Version 1.5 has been released on 26 June 2023, so is almost a year old now as well.

See for example, DependencyTrack - CDX 1.5 support was introduced with on October 16, 2023.

Dependency Track works flawlessly with CycloneDX 1.6.

See https://docs.dependencytrack.org/changelog/

As of today, DT v4.10.1 is the "latest" version. It was built months before CycloneDX 1.6 was released...
So I would not count on that ;-)

---

It would be very nice, if the newest supported version would be the default, then one doesn't have to specify a spec version and nevertheless can use the latest and greatest version of CycloneDX.

From which none of its features is used in this tool, yet.

---

All in all, I see your request, and still I do not see any reason to change a default value to 1.6 yet.

-> I will close this issue as soon as the "latest" version became the default. No worries.

[jkowalleck]

working on it. will change default version 1.6
it should be part of the next major version release.

[jkowalleck]

was released via https://github.com/CycloneDX/cyclonedx-node-npm/releases/tag/v2.0.0