Merge branch 'main' into main

Author: jkowalleck

.github/workflows/python.yml

@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   REPORTS_DIR: CI_reports
   PYTHON_VERSION_DEFAULT: "3.11"

.github/workflows/release.yml

@@ -35,6 +35,8 @@ concurrency:
   group: deploy
   cancel-in-progress: false  # prevent hickups with semantic-release
 
+permissions: {}
+
 env:
   PYTHON_VERSION_DEFAULT: "3.11"
   POETRY_VERSION: "1.8.1"
@@ -106,7 +108,7 @@ jobs:
         id: release
         # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html
         # see https://github.com/python-semantic-release/python-semantic-release
-        uses: python-semantic-release/[email protected].0
+        uses: python-semantic-release/[email protected].1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: ${{ github.event.inputs.release_force }}

CHANGELOG.md

@@ -1,6 +1,35 @@
 # CHANGELOG
 
 
+## v10.0.1 (2025-05-10)
+
+### Bug Fixes
+
+- Add missing comparator for VulnerabilityAnalysis
+  ([#812](https://github.com/CycloneDX/cyclonedx-python-lib/pull/812),
+  [`0df2982`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/0df2982151a99ce6e21336e6904afc0a8058f9af))
+
+When trying to generate a CycloneDX BOM that has two vulnerabilities that only differ in their
+  analysis, you get ``` TypeError: '<' not supported between instances of 'VulnerabilityAnalysis'
+  and 'VulnerabilityAnalysis' ```
+
+This PR adds the `__lt__` method for the VulnerabilityAnalysis model to fix sorting and also
+  includes a test case to verify the fix.
+
+---------
+
+Signed-off-by: Riku Häkli <[email protected]>
+
+Co-authored-by: Riku Häkli <[email protected]>
+
+### Documentation
+
+- **fix**: Mdformat
+  ([`acf5c45`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/acf5c45874808b831c33344f08ea21df20c727bb))
+
+Signed-off-by: Jan Kowalleck <[email protected]>
+
+
 ## v10.0.0 (2025-04-23)
 
 ### Features

cyclonedx/__init__.py

@@ -22,4 +22,4 @@
 
 # !! version is managed by semantic_release
 # do not use typing here, or else `semantic_release` might have issues finding the variable
-__version__ = "10.0.0"  # noqa:Q000
+__version__ = "10.0.1"  # noqa:Q000

cyclonedx/model/vulnerability.py

@@ -349,6 +349,11 @@ def __eq__(self, other: object) -> bool:
             return self.__comparable_tuple() == other.__comparable_tuple()
         return False
 
+    def __lt__(self, other: Any) -> bool:
+        if isinstance(other, VulnerabilityAnalysis):
+            return self.__comparable_tuple() < other.__comparable_tuple()
+        return NotImplemented
+
     def __hash__(self) -> int:
         return hash(self.__comparable_tuple())
 

docs/conf.py

@@ -23,7 +23,7 @@
 
 # The full version, including alpha/beta/rc tags
 # !! version is managed by semantic_release
-release = '10.0.0'
+release = '10.0.1'
 
 # -- General configuration ---------------------------------------------------
 

pyproject.toml

@@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api"
 [tool.poetry]
 name = "cyclonedx-python-lib"
 # !! version is managed by semantic_release
-version = "10.0.0"
+version = "10.0.1"
 description = "Python library for CycloneDX"
 authors = [
   "Paul Horton <[email protected]>",
@@ -82,20 +82,20 @@ xml-validation = ["lxml"]
 
 [tool.poetry.group.dev.dependencies]
 ddt = "1.7.2"
-coverage = "7.8.0"
+coverage = "7.8.2"
 flake8 = "7.2.0"
 flake8-annotations = "3.1.1"
 flake8-bugbear = "24.12.12"
 flake8-copyright-validator = "0.0.1"
 flake8-isort = "6.1.2"
 flake8-quotes = "3.4.0"
 flake8-use-fstring = "1.4"
-pep8-naming = "0.14.1"
+pep8-naming = "0.15.1"
 isort = "6.0.1"
 autopep8 = "2.3.2"
 mypy = "1.15.0"
 tomli = { version = "2.2.1", python = "<3.11" }
-tox = "4.25.0"
+tox = "4.26.0"
 xmldiff = "2.7.0"
 bandit = "1.8.3"
 

tests/test_model_vulnerability.py

@@ -20,12 +20,18 @@
 from unittest import TestCase
 
 from cyclonedx.model import XsUri
-from cyclonedx.model.impact_analysis import ImpactAnalysisAffectedStatus
+from cyclonedx.model.impact_analysis import (
+    ImpactAnalysisAffectedStatus,
+    ImpactAnalysisJustification,
+    ImpactAnalysisResponse,
+    ImpactAnalysisState,
+)
 from cyclonedx.model.vulnerability import (
     BomTarget,
     BomTargetVersionRange,
     Vulnerability,
     VulnerabilityAdvisory,
+    VulnerabilityAnalysis,
     VulnerabilityRating,
     VulnerabilityReference,
     VulnerabilityScoreSource,
@@ -334,3 +340,24 @@ def test_sort(self) -> None:
         sorted_targets = sorted(targets)
         expected_targets = reorder(targets, expected_order)
         self.assertListEqual(sorted_targets, expected_targets)
+
+
+class TestModelVulnerabilityAnalysis(TestCase):
+
+    def test_sort(self) -> None:
+        # expected sort order: ([state], [justification], [responses], [detail], [first_issued], [last_updated])
+        expected_order = [3, 1, 0, 2, 5, 4]
+        analyses = [
+            VulnerabilityAnalysis(state=ImpactAnalysisState.EXPLOITABLE),
+            VulnerabilityAnalysis(state=ImpactAnalysisState.EXPLOITABLE,
+                                  responses=[ImpactAnalysisResponse.CAN_NOT_FIX]),
+            VulnerabilityAnalysis(state=ImpactAnalysisState.NOT_AFFECTED,
+                                  justification=ImpactAnalysisJustification.CODE_NOT_PRESENT),
+            VulnerabilityAnalysis(state=ImpactAnalysisState.EXPLOITABLE,
+                                  justification=ImpactAnalysisJustification.REQUIRES_ENVIRONMENT),
+            VulnerabilityAnalysis(first_issued=datetime(2024, 4, 4), last_updated=datetime(2025, 5, 5)),
+            VulnerabilityAnalysis(first_issued=datetime(2023, 3, 3), last_updated=datetime(2023, 3, 3)),
+        ]
+        sorted_analyses = sorted(analyses)
+        expected_analyses = reorder(analyses, expected_order)
+        self.assertListEqual(sorted_analyses, expected_analyses)