Merge remote-tracking branch 'upstream/main' into feat/691-uzair-provides

Signed-off-by: Uzair Chhapra <[email protected]>

Author: uzairchhapra

.flake8

@@ -41,3 +41,6 @@ copyright-text =
     '#'
     '# SPDX-License-Identifier: Apache-2.0'
     '# Copyright (c) OWASP Foundation. All Rights Reserved.'
+lines-to-exclude =
+    ## shebang
+    '#!'

.gitattributes

@@ -115,7 +115,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: ['ubuntu-latest', 'windows-latest', 'macos-13']
+        os:
+          - ubuntu-latest
+          - macos-13  # macos-latest might be incompatible to py38 - see https://github.com/CycloneDX/cyclonedx-python-lib/pull/599#issuecomment-2077462142
+          - windows-latest
         python-version:
           - "3.13" # highest supported
           - "3.12"

.github/workflows/python.yml

@@ -122,8 +122,8 @@ jobs:
 
       - name: Publish package distributions to GitHub Releases
         if: steps.release.outputs.released == 'true'
-        # see https://github.com/python-semantic-release/upload-to-gh-release
-        uses: python-semantic-release/upload-to-gh-release@main
+        # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action
+        uses: python-semantic-release/publish-action@v9
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           tag: ${{ steps.release.outputs.tag }}

.github/workflows/release.yml

@@ -2,6 +2,192 @@
 
 
 
+## v9.1.1-rc.1 (2025-03-03)
+
+
+## v9.1.0 (2025-02-27)
+
+### Feature
+
+* feat: `model.VulnerabilityAnalysis` properties for issued/updated datetime (#794)
+
+
+
+Signed-off-by: Indivar Mishra <[email protected]> ([`4a3955a`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/4a3955a610bad97550e11c426c61c1295b76f804))
+
+### Fix
+
+* fix: improved comparison functionality of `model.VulnerabilityAnalysis` (#795)
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`7d57c73`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/7d57c73ef63bfb016099f4c0312b6702da488efc))
+
+
+## v9.0.2 (2025-02-26)
+
+
+## v9.0.0 (2025-02-26)
+
+### Breaking
+
+* feat!: 9.0.1 (#777)
+
+
+### BREAKING Changes
+
+* Fix: `model.vulnerability.VulnerabilityReference`'s properties are all
+mandatory
+([#790](https://github.com/CycloneDX/cyclonedx-python-lib/issues/790)
+via [#792](https://github.com/CycloneDX/cyclonedx-python-lib/pull/792))
+* Refactor: Rename `spdx.is_compund_expression` -> `spdx.is_expression`
+([#779](https://github.com/CycloneDX/cyclonedx-python-lib/pull/779))
+* Behavior: `BomRef` affects comparison/hashing
+([#754](https://github.com/CycloneDX/cyclonedx-python-lib/pull/754) &
+[#780](https://github.com/CycloneDX/cyclonedx-python-lib/pull/780))
+  This is only a breaking change if you relied on ordering of elements.
+* Behavior: streamline comparison/hashing functions
+([#755](https://github.com/CycloneDX/cyclonedx-python-lib/pull/755))
+  This is only a breaking change if you relied on ordering of elements.
+* Dependency: bump dependency `py-serializable >=2 <3`, was `>=1.1.1 <2`
+([#775](https://github.com/CycloneDX/cyclonedx-python-lib/pull/775))
+This is only a breaking change if you have other packages depend on that
+specific version.
+
+---------
+
+Signed-off-by: Jan Kowalleck <[email protected]>
+Signed-off-by: wkoot <[email protected]>
+Signed-off-by: semantic-release <[email protected]>
+Co-authored-by: wkoot <[email protected]>
+Co-authored-by: semantic-release <[email protected]> ([`e6f91fa`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/e6f91fa98cbb02cda62fd0bc5b1f1b9bf19902ee))
+
+
+## v8.9.0 (2025-02-25)
+
+### Documentation
+
+* docs:  extended instructions for "contributing" (#783)
+
+supersedes
+https://github.com/CycloneDX/cyclonedx-python-lib/pull/773/files#r1954324461
+
+---------
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`e2a4ed3`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/e2a4ed3608253b65a0f902f225fe7b7dd29ab864))
+
+### Feature
+
+* feat: avoid raising `NoPropertiesProvidedException` for optional parameters (#786)
+
+the following classes' init no longer raise `NoPropertiesProvidedException`:
+* `cyclonedx.model.IdentifiableAction`
+* `cyclonedx.model.component.Commit`
+* `cyclonedx.model.component.ComponentEvidence`
+* `cyclonedx.model.component.Diff`
+* `cyclonedx.model.component.Pedigree`
+* `cyclonedx.model.issue.IssueTypeSource`
+* `cyclonedx.model.vulnerability.VulnerabilityAnalysis`
+* `cyclonedx.model.vulnerability.VulnerabilityCredits`
+* `cyclonedx.model.vulnerability.VulnerabilityRating`
+* `cyclonedx.model.vulnerability.VulnerabilitySource`
+
+---------
+
+Signed-off-by: Indivar Mishra <[email protected]> ([`845b8d5`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/845b8d538d2f0fcadb3a3257a066ad58e3640c97))
+
+
+## v8.8.0 (2025-02-12)
+
+### Feature
+
+* feat: add `cyclonedx.model.crypto.ProtocolProperties.crypto_refs` (#767)
+
+
+Signed-off-by: Indivar Mishra <[email protected]> ([`beb35f5`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/beb35f55e3e75d625db45e4ff084dee02e919ef6))
+
+
+## v8.7.0 (2025-02-06)
+
+### Feature
+
+* feat: allow empty `OrganizationalContact` object (#772)
+
+fixes https://github.com/CycloneDX/cyclonedx-python-lib/issues/771
+
+---------
+
+Signed-off-by: Johannes Feichtner <[email protected]>
+Signed-off-by: Johannes Feichtner <[email protected]> ([`03b35f4`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/03b35f4293ab3b4c402c7bb8ff458831e492cb8b))
+
+
+## v8.6.0 (2025-02-04)
+
+### Feature
+
+* feat: expand the capabilities of `models.definition.Standard` (#713)
+
+
+---------
+
+Signed-off-by: Hakan Dilek <[email protected]>
+Signed-off-by: Jan Kowalleck <[email protected]>
+Co-authored-by: Jan Kowalleck <[email protected]> ([`901dcdc`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/901dcdc60a8a46d30878764d7b8bda69c6ba8b80))
+
+* feat: allow empty `OrganizationalEntity` object (#768)
+
+fixes https://github.com/CycloneDX/cyclonedx-python-lib/issues/764
+
+Signed-off-by: Johannes Feichtner <[email protected]> ([`472bded`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/472bded38cd480ba6885d44c798e015b63c89190))
+
+
+## v8.5.1 (2025-01-28)
+
+### Documentation
+
+* docs: responsibilities & capabilities (#763)
+
+
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`ab4ae45`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/ab4ae4578555f010914d7e904133dd478d7c80c1))
+
+* docs: Fix typos in in conda-forge.md and remove unused reference in README (#762)
+
+- Fix few typos in conda-forge.md
+- Removed unused PEP-508 ref in README.md
+
+Signed-off-by: Arthit Suriyawongkul <[email protected]> ([`66ece7a`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/66ece7ae0042740a541ceed3048b89c4f2b24145))
+
+* docs: modernize docstrings for CDX1.6 (#759)
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`fb9a42e`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/fb9a42ef9bda6407ddf4c49e75d10aa0fc91e46d))
+
+### Feature
+
+* feat: couple classes and their serializes (#757)
+
+Deprecates `.serialization.BomRefHelper` and
+`.serialization.LicenseRepositoryHelper`
+
+fixes #756
+
+---------
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`6003feb`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/6003febaa032969732ee246deb739d1e13bae581))
+
+
+## v8.5.0 (2024-11-18)
+
+### Documentation
+
+* docs: remove invalid docsting note about auto-assigned `bom-ref` values (#733) ([`5aa5787`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/5aa5787767c60dc23fd09f6cf14e54e5b0efceb4))
+
+### Feature
+
+* feat: support CycloneDX 1.6.1 (#742)
+
+
+Signed-off-by: Jan Kowalleck <[email protected]> ([`55eafed`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/55eafedf50d395911a697bd9c85eeab5820934ff))
+
+
 ## v8.4.0 (2024-10-29)
 
 ### Feature

CHANGELOG.md

@@ -1,9 +1,13 @@
 # Contributing
 
-Pull requests are welcome.
-But please read the
-[CycloneDX contributing guidelines](https://github.com/CycloneDX/.github/blob/master/CONTRIBUTING.md)
-first.
+Any contribution is welcome.  
+Please read the [CycloneDX contributing guidelines](https://github.com/CycloneDX/.github/blob/master/CONTRIBUTING.md) first.
+
+Pull-requests from forks are welcome.  
+We love to see your purposed changes, but we also like to discuss things first. Please open a ticket and explain your intended changes to the community. And don't forget to mention that discussion in your pull-request later. 
+Find the needed basics here:
+* [how to fork a repository](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo)
+* [how create a pull request from a fork](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork)
 
 ## Setup
 

CONTRIBUTING.md

@@ -17,20 +17,22 @@
 OWASP [CycloneDX][link_website] is a full-stack Bill of Materials (BOM) standard
 that provides advanced supply chain capabilities for cyber risk reduction.
 
-This Python package provides data models, validators and more, 
+This Python package provides data models, validators and more,
 to help you create/render/read CycloneDX documents.
 
-**This package is not designed for standalone use. It is a software library.**
-
-As of version `3.0.0`, the internal data model was adjusted to allow CycloneDX VEX documents to be produced as per
-[official examples](https://cyclonedx.org/capabilities/bomlink/#linking-external-vex-to-bom-inventory) linking VEX to a separate CycloneDX document.
-
-If you're looking for a CycloneDX tool to run to generate (SBOM) software bill-of-materials documents, why not checkout 
-[CycloneDX Python][cyclonedx-python] or [Jake][jake].
+> [!NOTE]
+> This package is a software library not intended for standalone use. 
+> For generating Software Bill of Materials (SBOM), check out [CycloneDX Python][cyclonedx-python] or [Jake][jake].
 
 ## Documentation
 
-View the documentation [here](https://cyclonedx-python-library.readthedocs.io/).
+Complete documentation is available on [Read the Docs][link_rtfd]. This includes:
+- Responsibilities & Capabilities
+- Install Instructions
+- API Reference
+- Usage Examples
+- Integration Guides
+- Best Practices
 
 ## Python Support
 
@@ -81,5 +83,3 @@ See the [LICENSE][license_file] file for the full license.
 [link_slack]: https://cyclonedx.org/slack/invite
 [link_discussion]: https://groups.io/g/CycloneDX
 [link_twitter]: https://twitter.com/CycloneDX_Spec
-
-[PEP-508]: https://www.python.org/dev/peps/pep-0508/

README.md

@@ -4,6 +4,7 @@
 exclude_dirs:
   - docs
   - .venv
+  - .tox
 
 skips:
   - B101

bandit.yml

@@ -22,4 +22,4 @@
 
 # !! version is managed by semantic_release
 # do not use typing here, or else `semantic_release` might have issues finding the variable
-__version__ = "8.4.0"  # noqa:Q000
+__version__ = "9.1.1-rc.1"  # noqa:Q000

cyclonedx/__init__.py

@@ -42,7 +42,7 @@ def __lt__(self, other: Any) -> bool:
                 return False
             if o is None:
                 return True
-            return True if s < o else False
+            return bool(s < o)
         return False
 
     def __gt__(self, other: Any) -> bool:
@@ -54,44 +54,29 @@ def __gt__(self, other: Any) -> bool:
                 return True
             if o is None:
                 return False
-            return True if s > o else False
+            return bool(s > o)
         return False
 
 
-class ComparableDict:
+class ComparableDict(ComparableTuple):
     """
     Allows comparison of dictionaries, allowing for missing/None values.
     """
 
-    def __init__(self, dict_: Dict[Any, Any]) -> None:
-        self._dict = dict_
-
-    def __lt__(self, other: Any) -> bool:
-        if not isinstance(other, ComparableDict):
-            return True
-        keys = sorted(self._dict.keys() | other._dict.keys())
-        return ComparableTuple(self._dict.get(k) for k in keys) \
-            < ComparableTuple(other._dict.get(k) for k in keys)
-
-    def __gt__(self, other: Any) -> bool:
-        if not isinstance(other, ComparableDict):
-            return False
-        keys = sorted(self._dict.keys() | other._dict.keys())
-        return ComparableTuple(self._dict.get(k) for k in keys) \
-            > ComparableTuple(other._dict.get(k) for k in keys)
+    def __new__(cls, d: Dict[Any, Any]) -> 'ComparableDict':
+        return super(ComparableDict, cls).__new__(cls, sorted(d.items()))
 
 
 class ComparablePackageURL(ComparableTuple):
     """
     Allows comparison of PackageURL, allowing for qualifiers.
     """
 
-    def __new__(cls, purl: 'PackageURL') -> 'ComparablePackageURL':
-        return super().__new__(
-            ComparablePackageURL, (
-                purl.type,
-                purl.namespace,
-                purl.version,
-                ComparableDict(purl.qualifiers) if isinstance(purl.qualifiers, dict) else purl.qualifiers,
-                purl.subpath
-            ))
+    def __new__(cls, p: 'PackageURL') -> 'ComparablePackageURL':
+        return super(ComparablePackageURL, cls).__new__(cls, (
+            p.type,
+            p.namespace,
+            p.version,
+            ComparableDict(p.qualifiers) if isinstance(p.qualifiers, dict) else p.qualifiers,
+            p.subpath
+        ))