feat!: v4.0.0 (#605)

  ## Changelog

  See also the migration guide in the docs.

  - BC: Removed support for python < 3.8
  - BC: Removed deprecated shell script `cyclonedx-bom`; use `cyclonedx-py` instead
  - BC: Removed conda support. However, conda's Python environments are fully supported. See below.
  - BC: Removed public API. You may use the CLI instead, see chapter "usage" in the docs.
  - BC: Complete redesign of the CommandLineInterface(CLI):
    - Uses sub-commands for easy accessibility and divide in specific purposes and domains
    - Easy understandable flags, switches and options -- in accordance with the domains
    - Updated help pages, added usage examples 
  - Dozens of new features and fixes, such as:
    - _environment_ analyzer supports any Python (virtual) environment --
      including support for, but not limited to: _conda_, _Hatch_, _PDM_, _Pipenv_, _Poetry_, _venv_, _virtualenv_
    - _Poetry_ analyzer support groups, filtering, and such
    - _Pipenv_ analyzer support categories, filtering, and such
    - _requirements_ analyzer is feature complete and fixed
    - More details in the SBOM results (based on method)
    - PackageURLs may have more qualifiers (enabled per default, disable via `--short-PURLs`)
    - component properties according to [official taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/)
    - SBOM results may be validated (enabled per default, disable via `--no-validate`)
    - SBOM results may have dependency graph populated (if supported by method - applies to _environment_ and _Poetry_)
    - SBOM results may have root-component populated (if `pyproject` provided)
    - SBOM results are more `diff`-friendly and not just one long line of text
    - Fixed possible issues with input data encoding
    - May omit dev-dependencies or domain-specific groups/categories (if supported by method and issued by CLI switches)
    - Strip authentication secrets from (private) download/index URLs
    - Support CycloneDX 1.5 - which is the default now
  - Upgraded documentation, examples, ...
  - Complete rewrite from scratch
  - Dependencies were bumped, dropped, added, ...
  - QA and test suites were massively enhanced



---------

Signed-off-by: Paul Horton <paul.horton@owasp.org>
Signed-off-by: Thomas Graf <thomas.graf@siemens.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Signed-off-by: Jan Kowalleck <jan.kowalleck@owasp.org>
Signed-off-by: semantic-release <semantic-release>
Co-authored-by: Paul Horton <paul.horton@owasp.org>
Co-authored-by: Thomas Graf <thomas.graf@siemens.com>
Co-authored-by: semantic-release <semantic-release>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Andreas Fehlner <fehlner@arcor.de>

Author: 6 people

.editorconfig

@@ -31,7 +31,7 @@ trim_trailing_whitespace = false
 indent_style = space
 indent_size = 4
 
-[*.ini]
+[{*.ini,.bandit,.flake8}]
 charset = latin1
 indent_style = space
 indent_size = 4

.envrc

@@ -0,0 +1,5 @@
+# https://pipenv.pypa.io/en/latest/configuration.html
+export PIPENV_IGNORE_VIRTUALENVS=1
+
+# https://pdm-project.org/latest/usage/venv/
+export PDM_IGNORE_ACTIVE_VENV=1

.flake8

@@ -0,0 +1,20 @@
+[flake8]
+## https://flake8.pycqa.org/en/latest/user/configuration.html
+## keep in sync with isort config - in `.isort.cfg` file
+
+exclude =
+    build,dist,__pycache__,.eggs,*.egg-info*,
+    *_cache,*.cache,
+    .git,.tox,.venv,venv
+    _OLD,_TEST,
+    docs
+
+max-line-length = 120
+
+max-complexity = 15
+
+ignore =
+    # ignore `self`, `cls` markers of flake8-annotations>=2.0
+    ANN101,ANN102
+    # ignore ANN401 for dynamically typed *args and **kwargs
+    ANN401

.github/ISSUE_TEMPLATE/ValidationError-report.md

@@ -0,0 +1,33 @@
+---
+name: ValidationError report
+about: Report a ValidationError to help us improve
+title: "[ValidationError]"
+labels: ValidationError
+assignees: ''
+
+---
+
+## To Reproduce
+
+Steps to reproduce the behavior:
+
+1. How was _cyclonedx-py_  called?
+   <!-- e.g. `cyclonedx-py requirements ...` -->
+2. What kind of evidence was processed?
+   <!-- upload a complete project or set of other evidences to this issue, or a pastebin of you choice and put the link here. -->
+3. Error report:
+   <!-- upload the complete output to this issue, or a pastebin of you choice and put the link here. -->
+4. Expected result:
+   <!-- run the original call again
+   with parameters `--no-validate -vvv -o -`, 
+   then upload the output this issue, or to a pastebin of you choice and put the link here. -->
+
+## Environment
+
+- _cyclonedx-py_ version: <!-- e.g. `v3.2.0`. get via `cyclonedx-py --version` -->
+- Python version: <!-- get via `python --version` -->
+- OS: <!-- e.g. windows 11, ubuntu linux, ... -->
+ 
+## Additional context
+
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,34 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG]"
+labels: bug
+assignees: ''
+
+---
+
+## Describe the bug
+
+A clear and concise description of what the bug is.
+
+## To Reproduce
+
+Steps to reproduce the behavior
+
+## Expected behavior
+
+A clear and concise description of what you expected to happen.
+
+## Screenshots or output-paste
+
+If applicable, add screenshots or past the output to help explain your problem.
+
+## Environment
+
+- _cyclonedx-py_ version: <!-- e.g. `v3.2.0`. get via `cyclonedx-py --version` -->
+- Python version: <!-- get via `python --version` -->
+- OS: <!-- e.g. windows 11, ubuntu linux, ... -->
+
+## Additional context
+
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,24 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+## Is your feature request related to a problem? Please describe.
+
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+## Describe the solution you'd like
+
+A clear and concise description of what you want to happen.
+
+## Describe alternatives you've considered
+
+A clear and concise description of any alternative solutions or features you've considered.
+
+## Additional context
+
+Add any other context or screenshots about the feature request here.

.github/workflows/docker.yml

@@ -15,8 +15,8 @@ concurrency:
 
 env:
   REPORTS_DIR: CI_reports
-  PYTHON_VERISON: "3.10"
-  POETRY_VERSION: "1.1.15"
+  PYTHON_VERSION: "3.11"
+  POETRY_VERSION: "1.7.1"
 
 jobs:
   test:
@@ -34,11 +34,12 @@ jobs:
           fetch-depth: 0
       - name: setup reports-dir
         run: mkdir "$REPORTS_DIR"
-      - name: Setup python ${{ env.PYTHON_VERISON }}
+      - name: Setup python ${{ env.PYTHON_VERSION }}
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v5
         with:
-          python-version: ${{ env.PYTHON_VERISON }}
+          python-version: ${{ env.PYTHON_VERSION }}
+          architecture: 'x64'
       - name: Setup poetry ${{ env.POETRY_VERSION }}
         # see https://github.com/marketplace/actions/setup-poetry
         uses: Gr1N/setup-poetry@v8
@@ -73,18 +74,16 @@ jobs:
       - name: Build own SBoM (XML)
         run: >
           docker run --rm "$DOCKER_TAG"
-          -X
-          --environment
-          --format=xml
-          --output=-
+          environment
+          -vvv
+          --output-format XML
           > "$REPORTS_DIR/docker-image.bom.xml"
       - name: Build own SBoM (JSON)
         run: >
           docker run --rm "$DOCKER_TAG"
-          -X
-          --environment
-          --format=json
-          --output=-
+          environment
+          -vvv
+          --output-format JSON
           > "$REPORTS_DIR/docker-image.bom.json"
       - name: Artifact reports
         if: ${{ ! cancelled() }}