✨ Core v1.7 Enablement

- Add spec version selection end-to-end with a new --spec-version flag (default 1.7).
- Update JSON and XML outputs to honor the selected spec version.
- Update fixtures, help text, tests, and docs.

Files:
- lib/bom_helpers.rb:
  - Added SUPPORTED_SPEC_VERSIONS, cyclonedx_xml_namespace helper.
build_bom now accepts spec_version and routes to:
    - build_json_bom(gems, spec_version) sets specVersion to the provided version.
    - build_bom_xml(gems, spec_version) sets xmlns to http://cyclonedx.org/schema/bom/<version>.</version>
- lib/bom_builder.rb:
  - Added --spec-version with validation; default is 1.7.
  - Pass @spec_version into build_bom(@Gems, @bom_output_format, @spec_version).

Author: pboling

README.md

@@ -29,14 +29,29 @@ cyclonedx-ruby [options]
 
     `-v, --[no-]verbose` Run verbosely
     `-p, --path path` Path to Ruby project directory
-    `-f, --format` Bom output format
+    `-o, --output bom_file_path` Path to output the bom file
+    `-f, --format bom_output_format` Output format for bom. Supported: xml (default), json
+    `-s, --spec-version version` CycloneDX spec version to target (default: 1.7). Supported: 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7
     `-h, --help` Show help message
 
 **Output:** bom.xml or bom.json file in project directory
 
-#### Example
+- By default, outputs conform to CycloneDX spec version 1.7.
+- To generate an older spec version, use `--spec-version`.
+
+#### Examples
 ```bash
+# Default (XML, CycloneDX 1.7)
 cyclonedx-ruby -p /path/to/ruby/project
+
+# JSON at CycloneDX 1.7
+cyclonedx-ruby -p /path/to/ruby/project -f json
+
+# XML at CycloneDX 1.3
+cyclonedx-ruby -p /path/to/ruby/project -s 1.3
+
+# JSON at CycloneDX 1.2 to a custom path
+cyclonedx-ruby -p /path/to/ruby/project -f json -s 1.2 -o bom/out.json
 ```
 
 
@@ -48,4 +63,3 @@ CycloneDX Ruby Gem is Copyright (c) OWASP Foundation. All Rights Reserved.
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE] file for the full license.
 
 [License]: https://github.com/CycloneDX/cyclonedx-ruby-gem/blob/master/LICENSE
-

cyclonedx-ruby.gemspec

@@ -29,8 +29,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency('activesupport', '~> 7.0')
   spec.add_development_dependency 'rake', '~> 13'
   spec.add_development_dependency 'rspec', '~> 3.12'
-  spec.add_development_dependency 'cucumber', '~> 8.0'
-  spec.add_development_dependency 'aruba', '~> 2.1'
+  spec.add_development_dependency 'cucumber', '~> 10.1', '>= 10.1.1'
+  spec.add_development_dependency 'aruba', '~> 2.2'
   spec.add_development_dependency 'simplecov', '~> 0.22.0'
   spec.add_development_dependency 'rubocop',  '~> 1.54'
 end

features/fixtures/simple/Gemfile

@@ -1,3 +1,7 @@
 source 'https://rubygems.org'
 
-gem 'activesupport'
+gem 'activesupport', '7.0.4.3'
+gem 'concurrent-ruby',  '1.2.2'
+gem 'i18n', '1.12.0'
+gem 'minitest', '5.18.0'
+gem 'tzinfo', '2.0.6'

features/fixtures/simple/Gemfile.lock

@@ -1,15 +1,15 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.0.7.1)
+    activesupport (7.0.4.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
     concurrent-ruby (1.2.2)
-    i18n (1.14.1)
+    i18n (1.12.0)
       concurrent-ruby (~> 1.0)
-    minitest (5.19.0)
+    minitest (5.18.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
 

features/fixtures/simple/bom.json.expected

@@ -1,6 +1,6 @@
 {
   "bomFormat": "CycloneDX",
-  "specVersion": "1.1",
+  "specVersion": "1.7",
   "serialNumber": "urn:uuid:d498cdc2-5494-4031-b37d-ff3d10d336bf",
   "version": 1,
   "components": [
@@ -105,4 +105,4 @@
       ]
     }
   ]
-}
+}

features/fixtures/simple/bom.xml.expected

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1" serialNumber="urn:uuid:ffc51349-2d7d-408e-b2c1-3e3f220e6d2f">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7" version="1" serialNumber="urn:uuid:ffc51349-2d7d-408e-b2c1-3e3f220e6d2f">
   <components>
     <component type="library">
       <name>activesupport</name>

features/help.feature

@@ -12,5 +12,6 @@ Scenario: Generate help on demand
       -p, --path path                  (Required) Path to Ruby project directory
       -o, --output bom_file_path       (Optional) Path to output the bom.xml file to
       -f, --format bom_output_format   (Optional) Output format for bom. Currently support xml (default) and json.
+      -s, --spec-version version       (Optional) CycloneDX spec version to target (default: 1.7). Supported: 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7
       -h, --help                       Show help message
   """

features/json_format.feature

@@ -40,4 +40,3 @@ Feature: Creating BOM using Json format
     """
     And a file named "bom.json" should exist
     And the generated Json BOM file "bom.json" matches "bom.json.expected"
-

features/step_definitions/json_bom_matching.rb

@@ -4,8 +4,8 @@
 
   serial_number_matcher = /\"serialNumber\": \"urn:uuid:[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\"/
   normalized_serial_number = '"serialNumber": "urn:uuid:00000000-0000-0000-0000-000000000000"'
-  normalized_generated_file_contents = generated_file_contents.gsub(serial_number_matcher, normalized_serial_number)
-  normalized_expected_file_contents = expected_file_contents.gsub(serial_number_matcher, normalized_serial_number)
+  normalized_generated_file_contents = generated_file_contents.gsub(serial_number_matcher, normalized_serial_number).rstrip
+  normalized_expected_file_contents = expected_file_contents.gsub(serial_number_matcher, normalized_serial_number).rstrip
 
   expect(normalized_expected_file_contents).to eq(normalized_generated_file_contents)
 end

lib/bom_builder.rb

@@ -35,26 +35,27 @@
 
 class Bombuilder
   SUPPORTED_BOM_FORMATS = %w[xml json]
+  SUPPORTED_SPEC_VERSIONS = %w[1.1 1.2 1.3 1.4 1.5 1.6 1.7]
 
   def self.build(path)
     original_working_directory = Dir.pwd
     setup(path)
     specs_list
-    bom = build_bom(@gems, @bom_output_format)
+    bom = build_bom(@gems, @bom_output_format, @spec_version)
 
     begin
       @logger.info("Changing directory to the original working directory located at #{original_working_directory}")
       Dir.chdir original_working_directory
     rescue StandardError => e
-      @logger.error("Unable to change directory the original working directory located at #{original_working_directory}. #{e.message}: #{e.backtrace.join('\n')}")
+      @logger.error("Unable to change directory the original working directory located at #{original_working_directory}. #{e.message}: #{Array(e.backtrace).join("\n")}")
       abort
     end
 
     bom_directory = File.dirname(@bom_file_path)
     begin
       FileUtils.mkdir_p(bom_directory) unless File.directory?(bom_directory)
     rescue StandardError => e
-      @logger.error("Unable to create the directory to hold the BOM output at #{@bom_directory}. #{e.message}: #{e.backtrace.join('\n')}")
+      @logger.error("Unable to create the directory to hold the BOM output at #{bom_directory}. #{e.message}: #{Array(e.backtrace).join("\n")}")
       abort
     end
 
@@ -68,7 +69,7 @@ def self.build(path)
         puts "#{@gems.size} gems were written to BOM located at #{@bom_file_path}"
       end
     rescue StandardError => e
-      @logger.error("Unable to write BOM to #{@bom_file_path}. #{e.message}: #{e.backtrace.join('\n')}")
+      @logger.error("Unable to write BOM to #{@bom_file_path}. #{e.message}: #{Array(e.backtrace).join("\n")}")
       abort
     end
   end
@@ -81,21 +82,27 @@ def self.setup(path)
       opts.on('-v', '--[no-]verbose', 'Run verbosely') do |v|
         @options[:verbose] = v
       end
-      opts.on('-p', '--path path', '(Required) Path to Ruby project directory') do |path|
-        @options[:path] = path
+      opts.on('-p', '--path path', '(Required) Path to Ruby project directory') do |proj_path_opt|
+        @options[:path] = proj_path_opt
       end
       opts.on('-o', '--output bom_file_path', '(Optional) Path to output the bom.xml file to') do |bom_file_path|
         @options[:bom_file_path] = bom_file_path
       end
       opts.on('-f', '--format bom_output_format', '(Optional) Output format for bom. Currently support xml (default) and json.') do |bom_output_format|
         @options[:bom_output_format] = bom_output_format
       end
+      opts.on('-s', '--spec-version version', '(Optional) CycloneDX spec version to target (default: 1.7). Supported: 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7') do |spec_version|
+        @options[:spec_version] = spec_version
+      end
       opts.on_tail('-h', '--help', 'Show help message') do
         puts opts
         exit
       end
     end.parse!
 
+    # Allow passing the path as a positional arg via exe wrapper
+    @options[:path] ||= path
+
     @logger = Logger.new($stdout)
     @logger.level = if @options[:verbose]
                       Logger::INFO
@@ -117,11 +124,15 @@ def self.setup(path)
       abort
     end
 
+    # Normalize to an absolute project path to avoid relative path issues later
+    @project_path = File.expand_path(@options[:path])
+    @provided_path = @options[:path]
+
     begin
-      @logger.info("Changing directory to Ruby project directory located at #{@options[:path]}")
-      Dir.chdir @options[:path]
+      @logger.info("Changing directory to Ruby project directory located at #{@provided_path}")
+      Dir.chdir @project_path
     rescue StandardError => e
-      @logger.error("Unable to change directory to Ruby project directory located at #{@options[:path]}. #{e.message}: #{e.backtrace.join('\n')}")
+      @logger.error("Unable to change directory to Ruby project directory located at #{@provided_path}. #{e.message}: #{Array(e.backtrace).join("\n")}")
       abort
     end
 
@@ -134,6 +145,15 @@ def self.setup(path)
       abort
     end
 
+    # Spec version selection
+    requested_spec = @options[:spec_version] || '1.7'
+    if SUPPORTED_SPEC_VERSIONS.include?(requested_spec)
+      @spec_version = requested_spec
+    else
+      @logger.error("Unrecognized CycloneDX spec version '#{requested_spec}'. Please choose one of #{SUPPORTED_SPEC_VERSIONS}")
+      abort
+    end
+
     @bom_file_path = if @options[:bom_file_path].nil?
                        "./bom.#{@bom_output_format}"
                      else
@@ -143,13 +163,16 @@ def self.setup(path)
     @logger.info("BOM will be written to #{@bom_file_path}")
 
     begin
-      gemfile_path = "#{@options[:path]}/Gemfile.lock"
-      @logger.info("Parsing specs from #{gemfile_path}...")
+      # Use absolute path so it's correct regardless of current working directory
+      gemfile_path = File.join(@project_path, 'Gemfile.lock')
+      # Compute display path for logs: './Gemfile.lock' when provided path is '.', else '<provided>/Gemfile.lock'
+      display_gemfile_path = (@provided_path == '.' ? './Gemfile.lock' : File.join(@provided_path, 'Gemfile.lock'))
+      @logger.info("Parsing specs from #{display_gemfile_path}...")
       gemfile_contents = File.read(gemfile_path)
       @specs = Bundler::LockfileParser.new(gemfile_contents).specs
       @logger.info('Specs successfully parsed!')
     rescue StandardError => e
-      @logger.error("Unable to parse specs from #{gemfile_path}. #{e.message}: #{e.backtrace.join('\n')}")
+      @logger.error("Unable to parse specs from #{gemfile_path}. #{e.message}: #{Array(e.backtrace).join("\n")}")
       abort
     end
   end