Merge branch 'master' into add-conda-hash

Author: madpah

.github/workflows/docker.yml

@@ -33,7 +33,7 @@ jobs:
 
       - name: Setup python ${{ env.PYTHON_VERISON }}
         # see https://github.com/actions/setup-python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERISON }}
       - name: Setup poetry ${{ env.POETRY_VERSION }}

.github/workflows/manual-release-candidate.yml

@@ -24,7 +24,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERISON }}
       - name: Install dependencies

.github/workflows/python.yml

@@ -43,7 +43,7 @@ jobs:
         uses: actions/checkout@v3
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERISON_DEFAULT }}
           architecture: 'x64'
@@ -55,19 +55,29 @@ jobs:
       - name: Install dependencies
         run: poetry install
       - name: Run tox
-        run: poetry run tox -e flake8
+        run: poetry run tox -e flake8 -s false
 
   static-code-analysis:
-    name: Static Coding Analysis
+    name: Static Coding Analysis (py${{ matrix.python-version}} ${{ matrix.toxenv-factor }})
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - # test with the locked dependencies
+            python-version: '3.10'
+            toxenv-factor: 'locked'
+          - # test with the lowest dependencies
+            python-version: '3.6'
+            toxenv-factor: 'lowest'
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@v3
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERISON_DEFAULT }}
           architecture: 'x64'
@@ -79,10 +89,10 @@ jobs:
       - name: Install dependencies
         run: poetry install
       - name: Run tox
-        run: poetry run tox -e mypy
+        run: poetry run tox -e mypy-${{ matrix.toxenv-factor }} -s false
 
   build-and-test:
-    name: Tests for Python ${{ matrix.python-version }} on ${{ matrix.os }}
+    name: Test (${{ matrix.os }} py${{ matrix.python-version }} ${{ matrix.toxenv-factor }})
     runs-on: ${{ matrix.os }}
     timeout-minutes: 10
     env:
@@ -97,6 +107,12 @@ jobs:
           - "3.8"
           - "3.7"
           - "3.6"  # lowest supported
+        toxenv-factor: ['locked']
+        include:
+          - # test with the lowest dependencies
+            os: 'ubuntu-latest'
+            python-version: '3.6'
+            toxenv-factor: 'lowest'
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
@@ -105,7 +121,7 @@ jobs:
         run: mkdir ${{ env.REPORTS_DIR }}
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
           architecture: 'x64'
@@ -119,11 +135,11 @@ jobs:
       - name: Ensure build successful
         run: poetry build
       - name: Run tox
-        run: poetry run tox -e py -s false
+        run: poetry run tox -e py-${{ matrix.toxenv-factor }} -s false
       - name: Generate coverage reports
         run: >
           poetry run coverage report &&
-          poetry run coverage xml -o ${{ env.REPORTS_DIR }}/coverage-${{ matrix.os }}-${{ matrix.python-version }}.xml &&
+          poetry run coverage xml -o ${{ env.REPORTS_DIR }}/coverage-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.toxenv-factor }}.xml &&
           poetry run coverage html -d ${{ env.REPORTS_DIR }}
       - name: Artifact reports
         if: ${{ ! cancelled() }}

.github/workflows/release.yml

@@ -54,7 +54,7 @@ jobs:
           fetch-depth: 0  # action `relekang/python-semantic-release` requires all git history
       - name: Setup python ${{ env.PYTHON_VERISON }}
         # see https://github.com/actions/setup-python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERISON }}
       - name: Setup poetry ${{ env.POETRY_VERSION }}

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 <!--next-version-placeholder-->
 
+## v3.2.2 (2022-06-02)
+### Fix
+* Add actively used (transitive) dependencies ([#363](https://github.com/CycloneDX/cyclonedx-python/issues/363)) ([`1f45ad9`](https://github.com/CycloneDX/cyclonedx-python/commit/1f45ad9162be511f07e9310414793218c554a097))
+
 ## v3.2.1 (2022-04-05)
 ### Fix
 * Cli default file for json format ([`8747620`](https://github.com/CycloneDX/cyclonedx-python/commit/8747620dac7ed3eeff69369c05dfb6386a56e549))

cyclonedx_py/client.py

@@ -105,14 +105,24 @@ def get_output(self) -> BaseOutput:
 
         bom = Bom.from_parser(parser=parser)
 
-        # Add cyclonedx_bom as a Tool to record it being part of the CycloneDX SBOM generation process
-        if sys.version_info >= (3, 8, 0):
-            from importlib.metadata import version as md_version
+        # region Add cyclonedx_bom as a Tool to record it being part of the CycloneDX SBOM generation process
+        if sys.version_info < (3, 8):
+            from typing import Callable
+
+            from importlib_metadata import version as __md_version
+
+            # this stupid kind of code is needed to satisfy mypy/typing
+            _md_version: Callable[[str], str] = __md_version
         else:
-            from importlib_metadata import version as md_version  # type: ignore
+            from importlib.metadata import version as _md_version
+        _this_tool_name = 'cyclonedx-bom'
+        _this_tool_version: Optional[str] = _md_version(_this_tool_name)
         bom.metadata.tools.add(Tool(
-            vendor='CycloneDX', name='cyclonedx-bom', version=md_version('cyclonedx-bom')
+            vendor='CycloneDX',
+            name=_this_tool_name,
+            version=_this_tool_version
         ))
+        # endregion
 
         return get_output_instance(
             bom=bom,

cyclonedx_py/parser/environment.py

@@ -35,7 +35,10 @@
 from pkg_resources import DistInfoDistribution  # type: ignore
 
 if sys.version_info >= (3, 8):
-    from email.message import Message as _MetadataReturn
+    if sys.version_info >= (3, 10):
+        from importlib.metadata import PackageMetadata as _MetadataReturn
+    else:
+        from email.message import Message as _MetadataReturn
     from importlib.metadata import metadata
 else:
     from importlib_metadata import metadata, PackageMetadata as _MetadataReturn