🎨 modernize for 2025 #38
Conversation
pboling
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR modernizes the cyclonedx-ruby gem for 2025 by refactoring the codebase to use proper namespacing under the Cyclonedx module, introducing a deprecation system for backward compatibility, and updating dependencies. The changes prepare for a v2.0.0 release while maintaining compatibility with existing code through deprecated aliases.
Key changes:
- Refactored global methods and classes into the
Cyclonedxnamespace with deprecation warnings for legacy usage - Fixed Nokogiri XML builder conflict with globally-scoped
purlmethod - Updated development dependencies (cucumber v8→v10, aruba v2.1→v2.2)
Reviewed Changes
Copilot reviewed 25 out of 34 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| lib/cyclonedx/ruby.rb | New main entry point that requires all Cyclonedx module components |
| lib/cyclonedx/bom_helpers.rb | Refactored helper methods into Cyclonedx::BomHelpers module |
| lib/cyclonedx/bom_component.rb | Moved BomComponent class into Cyclonedx namespace |
| lib/cyclonedx/bom_builder.rb | Moved Bombuilder class into Cyclonedx namespace as BomBuilder |
| lib/cyclonedx/ruby/version.rb | New version constant structure |
| lib/cyclonedx/ruby/deprecation.rb | New deprecation management module |
| lib/cyclonedx_deprecated.rb | Compatibility layer providing deprecated aliases |
| lib/bom_*.rb | Legacy entry points now redirect to new namespaced code |
| spec/spec_helper.rb | Updated test configuration and loading logic |
| spec/cyclonedx/*.rb | New namespaced test files |
| cyclonedx-ruby.gemspec | Updated metadata and dependency versions |
| exe/cyclonedx-ruby | Updated executable with backward compatibility logic |
| CHANGELOG.md | New changelog documenting all changes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
some SCA is failing: https://app.codacy.com/gh/CycloneDX/cyclonedx-ruby-gem/pull-requests/38/issues |
|
@jkowalleck there are 10 minor and 60 medium SCA violations. I'd like to focus on this PR not changing much runtime logic. Would you prefer to fix them in a separate PR, or just the medium ones here, or all of them here? |
I dont know whether the SCA issue already existed, and were reported only because the code moved from one file to another. |
|
there seams to be some CI/CT failing. |
|
Looking into the CI failures, and will fix the license link in README, and add CONTRIBUTING.md. I looked at other projects in this org, and it seems the are using contributor covenant v2.0. So following that pattern I'm adding contributor covenant v2.1, using the same contact email as the other projects have. |
|
I’d like to see this work integrated too. Thanks @pboling! one request: remove unnecessary 3rd party dependencies. No real reason this lib needs nokogiri or rest-client. |
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
- .gitignore - .rspec Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
### Added - `CHANGELOG.md` file to document notable changes in keep-a-changelog format - `Cyclonedx::BomHelpers` module to house helper methods, replacing global methods - `Cyclonedx::BomBuilder` class, replacing `Bombuilder` (note the capitalization change) - `Cyclonedx::BomComponent` class, replacing `BomComponent` - `Cyclonedx::Ruby::Version::VERSION` constant to hold the version number (also available as `Cyclonedx::VERSION`) - `Cyclonedx::Ruby::Deprecation` module to help manage deprecations ### Changed - Updated gemspec metadata for clarity and consistency - Modernized Rakefile, dotfiles, and test setup - `LICENSE` => `LICENSE.txt` to simplify parsing consistency on various platforms and tools - `cucumber` v8 => v10 - `aruba` v2.1 => v2.2 ### Deprecated - `BomComponent` => `Cyclonedx::BomComponent` - `Bombuilder` => `Cyclonedx::BomBuilder` (note the capitalization change) - `Object.purl` => `Cyclonedx::BomHelpers.purl` - `Object.random_urn_uuid` => `Cyclonedx::BomHelpers.random_urn_uuid` - `Object.build_bom` => `Cyclonedx::BomHelpers.build_bom` - `Object.build_json_bom` => `Cyclonedx::BomHelpers.build_json_bom` - `Object.build_bom_xml` => `Cyclonedx::BomHelpers.build_bom_xml` - `Object.get_gem` => `Cyclonedx::BomHelpers.get_gem` Signed-off-by: Peter H. Boling <[email protected]>
### Added - `CHANGELOG.md` file to document notable changes in keep-a-changelog format - `Cyclonedx::BomHelpers` module to house helper methods, replacing global methods - `Cyclonedx::BomBuilder` class, replacing `Bombuilder` (note the capitalization change) - `Cyclonedx::BomComponent` class, replacing `BomComponent` - `Cyclonedx::Ruby::Version::VERSION` constant to hold the version number (also available as `Cyclonedx::VERSION`) - `Cyclonedx::Ruby::Deprecation` module to help manage deprecations ### Changed - Updated gemspec metadata for clarity and consistency - Modernized Rakefile, dotfiles, and test setup - `LICENSE` => `LICENSE.txt` to simplify parsing consistency on various platforms and tools - `cucumber` v8 => v10 - `aruba` v2.1 => v2.2 ### Deprecated - `BomComponent` => `Cyclonedx::BomComponent` - `Bombuilder` => `Cyclonedx::BomBuilder` (note the capitalization change) - `Object.purl` => `Cyclonedx::BomHelpers.purl` - `Object.random_urn_uuid` => `Cyclonedx::BomHelpers.random_urn_uuid` - `Object.build_bom` => `Cyclonedx::BomHelpers.build_bom` - `Object.build_json_bom` => `Cyclonedx::BomHelpers.build_json_bom` - `Object.build_bom_xml` => `Cyclonedx::BomHelpers.build_bom_xml` - `Object.get_gem` => `Cyclonedx::BomHelpers.get_gem` ### Fixed - `Nokogiri::XML::Builder` context relies on `method_missing` - Globally defined `Object#purl` conflicted with `<purl>`. - Moved to `Cyclonedx::BomHelpers.purl` to avoid conflict in v2.0.0 (along with all other global methods) - Fixed existing usage via the built-in Nokogiri workaround of adding an underscore `purl_` - The XML tag is unchanged as `<purl>` Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
pboling
force-pushed
the
fix/nokogiri-incompatible-with-global-purl
branch
from
1352653 to
6ebe091
Compare
Signed-off-by: Peter H. Boling <[email protected]>
pboling
force-pushed
the
fix/nokogiri-incompatible-with-global-purl
branch
2 times, most recently
from
39b4cb3 to
23ef3f8
Compare
- Bigger build matrix changes are needed to continue running against older bunlders. - will introduce the appraisal pattern later Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
|
@jkowalleck this is done, I tihnk. CI matrix should be passing now, and all comments have been addressed. LMK if there is anything else to be done here. I've got a lot more improvements I'd like to make, so these initial 4 PRs are just the beginning. |
pboling
force-pushed
the
fix/nokogiri-incompatible-with-global-purl
branch
from
23ef3f8 to
e0de431
Compare
|
The other 3 PRs have been fully rebased and re-stacked. |
| remote: . | ||
| specs: | ||
| cyclonedx-ruby (1.2.0) | ||
| activesupport (~> 7.0) |
There was a problem hiding this comment.
I'll be adding discrete support for testing against different versions of dependencies when I add appraisals in a different PR, and I'll also take that opportunity to rip out the active support dependency completely. It's way too much for this PR though.
There was a problem hiding this comment.
note to self: create a ticket for this
|
@mperham - yes, I'll be trimming the dependencies in a future PR. |
| - '3.4.7' | ||
| - '3.3.9' | ||
| - '3.2.9' | ||
| # Not supported by latest bundler. These will be added back to the build matrix later. |
There was a problem hiding this comment.
note to self: create a followup ticket for this
| remote: . | ||
| specs: | ||
| cyclonedx-ruby (1.2.0) | ||
| activesupport (~> 7.0) |
There was a problem hiding this comment.
note to self: create a ticket for this
bom.xml
Outdated
| @@ -0,0 +1,75 @@ | |||
| <?xml version="1.0" encoding="UTF-8"?> | |||
| <bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1" serialNumber="urn:uuid:ffc51349-2d7d-408e-b2c1-3e3f220e6d2f"> | |||
| <components> | |||
There was a problem hiding this comment.
why would we want to publish our own bom in the repo here?
why in CycloneDX1.1 format?
There was a problem hiding this comment.
These were test artifacts, and were added accidentally. They were v1.1 because that's all this gem supports in the current state. I've added them to .gitignore, and removed them from this PR... but now that I'm thinking about it,
why would we want to publish our own bom in the repo here?
should this gem dogfood itself, and ship its own BOM built with itself?
Seems like that could be a reasonable goal.
There was a problem hiding this comment.
should this gem dogfood itself, and ship its own BOM built with itself?
creating a BOM could be part of the release, when the gem is compiled.
then, that BOM would be a welcome release artifact.
There was a problem hiding this comment.
I like the idea. I'll work on that in a future PR! For this one the bom artifcats are removed.
certs/pboling.pem
Outdated
There was a problem hiding this comment.
why would we want the cert of developers/contributors/maintainers in our git repo?
see also my remarks on the CONTRIBUTING.md file
There was a problem hiding this comment.
It is useful to track who the gem signers are, IMO. It definitely doesn't have to be done this way, but I expect people in the community would find value in seeing it.
There was a problem hiding this comment.
Additionally, until there is a proper signing key host we rely on as a community, this is the next best thing. Signing gems is pointless if the signing can't be verified, and that can only be done against the public cert. I've made mine available in a special "certs" project for longevity, but in order to facilitate other signers/releasers it makes sense to have a copy in the repo itself. I am certain that this pattern is in need of improvement, but I'm not sure if it is something that should be solved here / now.
There was a problem hiding this comment.
FWIW: This is what I envision adding to the readme at some point (made less invasive by placing in details tag as I do on other projects perhaps).
🔒 Secure Installation
For Medium or High Security Installations
This gem is cryptographically signed, and has verifiable SHA-256 and SHA-512 checksums. Be sure the gem you install hasn’t been tampered with by following the instructions below.
Add signer's public key (if you haven’t already, expires 2045-04-29) as a trusted certificate:
gem cert --add <(curl -Ls https://raw.github.com/galtzo-floss/certs/main/pboling.pem)You only need to do that once. Then proceed to install with:
gem install cyclonedx-ruby -P HighSecurityThe HighSecurity trust profile will verify signed gems, and not allow the installation of unsigned dependencies.
If you want to up your security game full-time:
bundle config set --global trust-policy MediumSecurityMediumSecurity instead of HighSecurity is necessary if not all the gems you use are signed.
NOTE: Be prepared to track down certs for signed gems and add them the same way you added this signer's.
There was a problem hiding this comment.
That gem cert add command is the core of the question here.
I have a centralized certs project so I can use that same line in every gem I publish.
This one could alternatively use:
gem cert --add <(curl -Ls https://raw.github.com/CycloneDX/cyclonedx-ruby-gem/main/certs/pboling.pem)
but only if we keep the certs in this repo.
I'm open to other ideas. The gem signing infrastructure for Ruby is admittedly lackluster. I am trying to improve it, but that's a separate effort.
There was a problem hiding this comment.
this signing process is premature. please remove it for now.
There was a problem hiding this comment.
Premature is an accurate assessment. I'll remove it.
There was a problem hiding this comment.
@jkowalleck it is worth noting that other signed gems that are developed by a team use a team cert, shared among those who publish the gem, and rotated when that set changes. It's a small improvement, but the entire process is still very under-developed.
There was a problem hiding this comment.
@jkowalleck gem signing / cert logic is removed.
cyclonedx-ruby.gemspec
Outdated
| spec.metadata["source_code_uri"] = "#{spec.homepage}/tree/v#{spec.version}" | ||
| spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/v#{spec.version}/CHANGELOG.md" | ||
| spec.metadata["bug_tracker_uri"] = "#{spec.homepage}/issues" | ||
| spec.metadata["documentation_uri"] = "https://www.rubydoc.info/gems/#{spec.name}/#{spec.version}" |
There was a problem hiding this comment.
please remove, as long as we don't host any docs there.
There was a problem hiding this comment.
https://github.com/docmeta/rubydoc.info is is the semi-official doc host for all rubygems (public service, community supported), so the docs will be hosted there regardless of whether we link to them or not. They host the docs of all public rubygems, without exceptions. Is there a preferred doc host we could link instead?
There was a problem hiding this comment.
They are actually already hosted there, but the documentation isn't great in the current release. The next release will have excellent YARD documentation.
There was a problem hiding this comment.
They are actually already hosted there, but the documentation isn't great in the current release. The next release will have excellent YARD documentation.
then better remove the link until we have docs worth reading.
Is there a preferred doc host we could link instead?
undecided.
Signed-off-by: Jan Kowalleck <[email protected]>
- cleanup spec.files Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
|
@jkowalleck I'm not sure what happened, but it seems the Codacy issues are no longer extant. Maybe the linting auto-fixes resolved them? :) |
4 participants
🎨 modernize for 2025
Added
CONTRIBUTING.mdfile to help people find their way to contributingCHANGELOG.mdfile to document notable changes in keep-a-changelog formatCyclonedx::BomHelpersmodule to house helper methods, replacing global methodsCyclonedx::BomBuilderclass, replacingBombuilder(note the capitalization change)Cyclonedx::BomComponentclass, replacingBomComponentCyclonedx::Ruby::Version::VERSIONconstant to hold the version number (also available asCyclonedx::VERSION)Cyclonedx::Ruby::Deprecationmodule to help manage deprecationsstone_checksumsChanged
LICENSE=>LICENSE.txtto simplify parsing consistency on various platforms and toolscucumberv8 => v10arubav2.1 => v2.2Deprecated
BomComponent=>Cyclonedx::BomComponentBombuilder=>Cyclonedx::BomBuilder(note the capitalization change)Object.purl=>Cyclonedx::BomHelpers.purlObject.random_urn_uuid=>Cyclonedx::BomHelpers.random_urn_uuidObject.build_bom=>Cyclonedx::BomHelpers.build_bomObject.build_json_bom=>Cyclonedx::BomHelpers.build_json_bomObject.build_bom_xml=>Cyclonedx::BomHelpers.build_bom_xmlObject.get_gem=>Cyclonedx::BomHelpers.get_gemFixed
Nokogiri::XML::Buildercontext relies onmethod_missingObject#purlconflicted with<purl>.Cyclonedx::BomHelpers.purlto avoid conflict in v2.0.0 (along with all other global methods)purl_<purl>Signed-off-by: Peter H. Boling [email protected]