Merge branch 'main' into feat/validator_error_useful

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

.github/workflows/python.yml

@@ -50,6 +50,30 @@ jobs:
       - name: Run tox
         run: poetry run tox run -e pyupgrade -s false
 
+  deptry:
+    name: test dependencies
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Python Environment
+        # see https://github.com/actions/setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
+          architecture: 'x64'
+      - name: Install poetry
+        # see https://github.com/marketplace/actions/setup-poetry
+        uses: Gr1N/setup-poetry@v9
+        with:
+          poetry-version: ${{ env.POETRY_VERSION }}
+      - name: Install dependencies
+        run: poetry install --no-root
+      - name: Run tox
+        run: poetry run tox run -e deptry -s false
+
   coding-standards:
     name: Linting & CodingStandards
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -6,14 +6,15 @@ on:
       release_force:
         # see https://python-semantic-release.readthedocs.io/en/latest/github-action.html#command-line-options
         description: |
-          Force release be one of: [major | minor | patch]
+          Force release be one of: [major | minor | patch | prerelease]
           Leave empty for auto-detect based on commit messages.
         type: choice
         options:
-          - "" # auto - no force
-          - major # force major
-          - minor # force minor
-          - patch # force patch
+          - ""         # auto - no force
+          - major      # force major
+          - minor      # force minor
+          - patch      # force patch
+          - prerelease # force prerelease
         default: ""
         required: false
       prerelease_token:
@@ -64,9 +65,32 @@ jobs:
       - name: Run tox
         run: poetry run tox run -e py -s false
 
+  deptry:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Python Environment
+        # see https://github.com/actions/setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
+          architecture: 'x64'
+      - name: Install poetry
+        # see https://github.com/marketplace/actions/setup-poetry
+        uses: Gr1N/setup-poetry@v9
+        with:
+          poetry-version: ${{ env.POETRY_VERSION }}
+      - name: Install dependencies
+        run: poetry install --no-root
+      - name: Run tox
+        run: poetry run tox run -e deptry -s false
+
   release:
     needs:
       - quicktest
+      - deptry
     # https://github.community/t/how-do-i-specify-job-dependency-running-in-another-workflow/16482
     # limit this to being run on regular commits, not the commits that semantic-release will create
     # but also allow manual workflow dispatch

CHANGELOG.md

@@ -2,6 +2,41 @@
 
 <!-- version list -->
 
+## v10.4.1 (2025-07-08)
+
+### Bug Fixes
+
+- Add runtime dependnecy `typing_extensions>=4.6; python_version<"3.13"`
+  ([#845](https://github.com/CycloneDX/cyclonedx-python-lib/pull/845),
+  [`95b560a`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/95b560a6730bc8bb43c41768a33ad221ba9ca283))
+
+- Added runtime dependnecy `referencing>=0.28.4"`
+  ([#846](https://github.com/CycloneDX/cyclonedx-python-lib/pull/846),
+  [`4d01e87`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/4d01e87dcf7a118d7f0011b669809d5df9bfd9d5))
+
+
+## v10.4.0 (2025-07-08)
+
+### Bug Fixes
+
+- Issue `DeprecationWarnings` for deprecated properties properly
+  ([#838](https://github.com/CycloneDX/cyclonedx-python-lib/pull/838),
+  [`34a11aa`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/34a11aacf65a3be7766304e7ec3a009d2d8720d1))
+
+- Removed meaningless pattern checks for CycloneDX 1.2 JSON schema
+  ([#843](https://github.com/CycloneDX/cyclonedx-python-lib/pull/843),
+  [`6e8083a`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/6e8083a7adc626b6e420518c4919807574ad5f50))
+
+### Features
+
+- Decorate deprecated symbols ([#839](https://github.com/CycloneDX/cyclonedx-python-lib/pull/839),
+  [`33daaf1`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/33daaf1e93b0993cc5076874e1894d8c9fcd4df9))
+
+- Validators return specific error classes
+  ([#840](https://github.com/CycloneDX/cyclonedx-python-lib/pull/840),
+  [`23a0f72`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/23a0f72ef29428e712917efa3b083c858e60dc04))
+
+
 ## v10.3.0 (2025-06-30)
 
 ### Documentation

cyclonedx/__init__.py

@@ -22,4 +22,4 @@
 
 # !! version is managed by semantic_release
 # do not use typing here, or else `semantic_release` might have issues finding the variable
-__version__ = "10.3.0"  # noqa:Q000
+__version__ = "10.4.1"  # noqa:Q000

cyclonedx/model/bom.py

@@ -87,13 +87,8 @@ def __init__(
         self.properties = properties or []
         self.manufacturer = manufacturer
         self.lifecycles = lifecycles or []
-
+        # deprecated properties below
         self.manufacture = manufacture
-        if manufacture:
-            warn(
-                '`bom.metadata.manufacture` is deprecated from CycloneDX v1.6 onwards. '
-                'Please use `bom.metadata.component.manufacturer` instead.',
-                DeprecationWarning)
 
     @property
     @serializable.type_mapping(serializable.helpers.XsdDateTime)
@@ -214,6 +209,11 @@ def manufacture(self, manufacture: Optional[OrganizationalEntity]) -> None:
         @todo Based on https://github.com/CycloneDX/specification/issues/346,
               we should set this data on `.component.manufacturer`.
         """
+        if manufacture is not None:
+            warn(
+                '`bom.metadata.manufacture` is deprecated from CycloneDX v1.6 onwards. '
+                'Please use `bom.metadata.component.manufacturer` instead.',
+                DeprecationWarning)
         self._manufacture = manufacture
 
     @property

cyclonedx/model/component.py

@@ -1010,11 +1010,9 @@ def __init__(
         self.supplier = supplier
         self.manufacturer = manufacturer
         self.authors = authors or []
-        self.author = author
         self.publisher = publisher
         self.group = group
         self.name = name
-        self.version = version
         self.description = description
         self.scope = scope
         self.hashes = hashes or []
@@ -1025,7 +1023,6 @@ def __init__(
         self.omnibor_ids = omnibor_ids or []
         self.swhids = swhids or []
         self.swid = swid
-        self.modified = modified
         self.pedigree = pedigree
         self.external_references = external_references or []
         self.properties = properties or []
@@ -1034,13 +1031,10 @@ def __init__(
         self.release_notes = release_notes
         self.crypto_properties = crypto_properties
         self.tags = tags or []
-
-        if modified:
-            warn('`.component.modified` is deprecated from CycloneDX v1.3 onwards. '
-                 'Please use `@.pedigree` instead.', DeprecationWarning)
-        if author:
-            warn('`.component.author` is deprecated from CycloneDX v1.6 onwards. '
-                 'Please use `@.authors` or `@.manufacturer` instead.', DeprecationWarning)
+        # spec-deprecated properties below
+        self.author = author
+        self.modified = modified
+        self.version = version
 
     @property
     @serializable.type_mapping(_ComponentTypeSerializationHelper)
@@ -1175,6 +1169,9 @@ def author(self) -> Optional[str]:
 
     @author.setter
     def author(self, author: Optional[str]) -> None:
+        if author is not None:
+            warn('`@.author` is deprecated from CycloneDX v1.6 onwards. '
+                 'Please use `@.authors` or `@.manufacturer` instead.', DeprecationWarning)
         self._author = author
 
     @property
@@ -1255,7 +1252,7 @@ def version(self) -> Optional[str]:
     @version.setter
     def version(self, version: Optional[str]) -> None:
         if version and len(version) > 1024:
-            warn('`.component.version`has a maximum length of 1024 from CycloneDX v1.6 onwards.', UserWarning)
+            warn('`@.version`has a maximum length of 1024 from CycloneDX v1.6 onwards.', UserWarning)
         self._version = version
 
     @property
@@ -1450,6 +1447,9 @@ def modified(self) -> bool:
 
     @modified.setter
     def modified(self, modified: bool) -> None:
+        if modified:
+            warn('`@.modified` is deprecated from CycloneDX v1.3 onwards. '
+                 'Please use `@.pedigree` instead.', DeprecationWarning)
         self._modified = modified
 
     @property

cyclonedx/model/tool.py

@@ -203,12 +203,9 @@ def __init__(
         # Deprecated since v1.5
         tools: Optional[Iterable[Tool]] = None
     ) -> None:
-        if tools:
-            warn('`@.tools` is deprecated from CycloneDX v1.5 onwards. '
-                 'Please use `@.components` and `@.services` instead.',
-                 DeprecationWarning)
         self.components = components or ()
         self.services = services or ()
+        # spec-deprecated properties below
         self.tools = tools or ()
 
     @property
@@ -241,6 +238,10 @@ def tools(self) -> 'SortedSet[Tool]':
 
     @tools.setter
     def tools(self, tools: Iterable[Tool]) -> None:
+        if tools:
+            warn('`@.tools` is deprecated from CycloneDX v1.5 onwards. '
+                 'Please use `@.components` and `@.services` instead.',
+                 DeprecationWarning)
         self._tools = SortedSet(tools)
 
     def __len__(self) -> int:

cyclonedx/schema/_res/README.md

@@ -15,13 +15,13 @@ Currently using version
 | [`bom-1.4.SNAPSHOT.xsd`](bom-1.4.SNAPSHOT.xsd) | applied changes: 1 |
 | [`bom-1.5.SNAPSHOT.xsd`](bom-1.5.SNAPSHOT.xsd) | applied changes: 1 |
 | [`bom-1.6.SNAPSHOT.xsd`](bom-1.6.SNAPSHOT.xsd) | applied changes: 1 |
-| [`bom-1.2.SNAPSHOT.schema.json`](bom-1.2.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 |
-| [`bom-1.3.SNAPSHOT.schema.json`](bom-1.3.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 |
-| [`bom-1.4.SNAPSHOT.schema.json`](bom-1.4.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 |
-| [`bom-1.5.SNAPSHOT.schema.json`](bom-1.5.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 |
-| [`bom-1.6.SNAPSHOT.schema.json`](bom-1.6.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 |
-| [`bom-1.2-strict.SNAPSHOT.schema.json`](bom-1.2-strict.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 |
-| [`bom-1.3-strict.SNAPSHOT.schema.json`](bom-1.3-strict.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 |
+| [`bom-1.2.SNAPSHOT.schema.json`](bom-1.2.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
+| [`bom-1.3.SNAPSHOT.schema.json`](bom-1.3.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
+| [`bom-1.4.SNAPSHOT.schema.json`](bom-1.4.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
+| [`bom-1.5.SNAPSHOT.schema.json`](bom-1.5.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
+| [`bom-1.6.SNAPSHOT.schema.json`](bom-1.6.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
+| [`bom-1.2-strict.SNAPSHOT.schema.json`](bom-1.2-strict.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
+| [`bom-1.3-strict.SNAPSHOT.schema.json`](bom-1.3-strict.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
 | [`spdx.SNAPSHOT.xsd`](spdx.SNAPSHOT.xsd) | |
 | [`spdx.SNAPSHOT.schema.json`](spdx.SNAPSHOT.schema.json) | |
 | [`jsf-0.82.SNAPSHOT.schema.json`](jsf-0.82.SNAPSHOT.schema.json) | |
@@ -32,3 +32,4 @@ changes:
 3. `jsf-0.82.schema.json` was replaced with `jsf-0.82.SNAPSHOT.schema.json`
 4. `properties.$schema.enum` was removed
 5. `required.version` removed, as it is actually optional with default value
+6. `"pattern": "^(.*)$"` removed as it has no meaning