✨ --include-metadata (metadata.tools) & --enrich-components #40
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces support for emitting metadata.tools information in CycloneDX BOMs when the --include-metadata flag is provided. The tools metadata identifies the producer (CycloneDX, cyclonedx-ruby, and the gem version) and is emitted for both JSON and XML formats when the selected spec version is >= 1.2.
Key changes:
- Added
--include-metadataCLI flag to control metadata.tools emission - Implemented metadata.tools generation for JSON and XML BOM formats
- Restructured test files and added RSpec configuration
- Added unit and integration tests for the new functionality
Reviewed Changes
Copilot reviewed 62 out of 82 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| spec/spec_helper.rb | Replaced Aruba-based configuration with standard RSpec setup including SimpleCov initialization |
| spec/cyclonedx/ruby_spec.rb | Added version number existence test for the gem |
| spec/cyclonedx/metadata_tools_spec.rb | New test file validating metadata.tools emission in JSON and XML BOMs |
| spec/cyclonedx/bom_helpers_spec.rb | Tests for BomHelpers.purl method with legacy method compatibility check |
| spec/cyclonedx/bom_component_spec.rb | Updated to use namespaced class name (Cyclonedx::BomComponent) |
| spec/bom_helpers_spec.rb | Deleted legacy test file |
| sig/cyclonedx/ruby.rbs | Added RBS type signature for the Ruby module with VERSION constant |
| schema/*.{json,xsd,proto} | Added CycloneDX schema files for various versions and formats |
| schema/README.md | Documentation about the CycloneDX specification and schemas |
| lib/cyclonedx_deprecated.rb | Backward compatibility layer providing deprecated global methods |
| lib/cyclonedx/ruby/version.rb | Version constant definition (VERSION = "1.2.0") |
| lib/cyclonedx/ruby.rb | Main entry point requiring dependencies and gem components |
| features/support/*.rb | Added frozen_string_literal comments |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| validation without needing internet access. | ||
| Namespace: urn:oasis:names:tc:entity:xmlns:xml:catalog | ||
| --> | ||
| <!-- to prevent unintendedn notwork access, we do not set a DTD/XSD in this XML --> |
There was a problem hiding this comment.
Corrected spelling of 'unintended' (was 'unintendedn') and 'network' (was 'notwork').
Suggested change
| <!-- to prevent unintendedn notwork access, we do not set a DTD/XSD in this XML --> | |
| <!-- to prevent unintended network access, we do not set a DTD/XSD in this XML --> |
This was referenced Oct 26, 2025
Open
pboling
changed the title
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
- .gitignore - .rspec Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
### Added - `CHANGELOG.md` file to document notable changes in keep-a-changelog format - `Cyclonedx::BomHelpers` module to house helper methods, replacing global methods - `Cyclonedx::BomBuilder` class, replacing `Bombuilder` (note the capitalization change) - `Cyclonedx::BomComponent` class, replacing `BomComponent` - `Cyclonedx::Ruby::Version::VERSION` constant to hold the version number (also available as `Cyclonedx::VERSION`) - `Cyclonedx::Ruby::Deprecation` module to help manage deprecations ### Changed - Updated gemspec metadata for clarity and consistency - Modernized Rakefile, dotfiles, and test setup - `LICENSE` => `LICENSE.txt` to simplify parsing consistency on various platforms and tools - `cucumber` v8 => v10 - `aruba` v2.1 => v2.2 ### Deprecated - `BomComponent` => `Cyclonedx::BomComponent` - `Bombuilder` => `Cyclonedx::BomBuilder` (note the capitalization change) - `Object.purl` => `Cyclonedx::BomHelpers.purl` - `Object.random_urn_uuid` => `Cyclonedx::BomHelpers.random_urn_uuid` - `Object.build_bom` => `Cyclonedx::BomHelpers.build_bom` - `Object.build_json_bom` => `Cyclonedx::BomHelpers.build_json_bom` - `Object.build_bom_xml` => `Cyclonedx::BomHelpers.build_bom_xml` - `Object.get_gem` => `Cyclonedx::BomHelpers.get_gem` Signed-off-by: Peter H. Boling <[email protected]>
### Added - `CHANGELOG.md` file to document notable changes in keep-a-changelog format - `Cyclonedx::BomHelpers` module to house helper methods, replacing global methods - `Cyclonedx::BomBuilder` class, replacing `Bombuilder` (note the capitalization change) - `Cyclonedx::BomComponent` class, replacing `BomComponent` - `Cyclonedx::Ruby::Version::VERSION` constant to hold the version number (also available as `Cyclonedx::VERSION`) - `Cyclonedx::Ruby::Deprecation` module to help manage deprecations ### Changed - Updated gemspec metadata for clarity and consistency - Modernized Rakefile, dotfiles, and test setup - `LICENSE` => `LICENSE.txt` to simplify parsing consistency on various platforms and tools - `cucumber` v8 => v10 - `aruba` v2.1 => v2.2 ### Deprecated - `BomComponent` => `Cyclonedx::BomComponent` - `Bombuilder` => `Cyclonedx::BomBuilder` (note the capitalization change) - `Object.purl` => `Cyclonedx::BomHelpers.purl` - `Object.random_urn_uuid` => `Cyclonedx::BomHelpers.random_urn_uuid` - `Object.build_bom` => `Cyclonedx::BomHelpers.build_bom` - `Object.build_json_bom` => `Cyclonedx::BomHelpers.build_json_bom` - `Object.build_bom_xml` => `Cyclonedx::BomHelpers.build_bom_xml` - `Object.get_gem` => `Cyclonedx::BomHelpers.get_gem` ### Fixed - `Nokogiri::XML::Builder` context relies on `method_missing` - Globally defined `Object#purl` conflicted with `<purl>`. - Moved to `Cyclonedx::BomHelpers.purl` to avoid conflict in v2.0.0 (along with all other global methods) - Fixed existing usage via the built-in Nokogiri workaround of adding an underscore `purl_` - The XML tag is unchanged as `<purl>` Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
- Bigger build matrix changes are needed to continue running against older bunlders. - will introduce the appraisal pattern later Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
pboling
force-pushed
the
feat/metadata-tools
branch
from
e20181d to
bc50e2a
Compare
Signed-off-by: Jan Kowalleck <[email protected]>
- cleanup spec.files Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
pboling
force-pushed
the
feat/metadata-tools
branch
2 times, most recently
from
4b7c15e to
20ae716
Compare
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
- Add spec version selection end-to-end with a new --spec-version flag (default 1.7).
- Update JSON and XML outputs to honor the selected spec version.
- Update fixtures, help text, tests, and docs.
Files:
- lib/bom_helpers.rb:
- Added SUPPORTED_SPEC_VERSIONS, cyclonedx_xml_namespace helper.
build_bom now accepts spec_version and routes to:
- build_json_bom(gems, spec_version) sets specVersion to the provided version.
- build_bom_xml(gems, spec_version) sets xmlns to http://cyclonedx.org/schema/bom/<version>.</version>
- lib/bom_builder.rb:
- Added --spec-version with validation; default is 1.7.
- Pass @spec_version into build_bom(@Gems, @bom_output_format, @spec_version).
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
- Added --validate and --validate-file flags in Cyclonedx::BomBuilder. - After writing the BOM, if --validate is set, validate JSON via JSON Schema and XML via XSD with local files under schema/. - Added logic to validate an existing file with --validate --validate-file <path>, inferring format from extension unless --format is provided.</path> - In validate-only mode, project path isn’t required. - Added Cyclonedx::BomHelpers.validate_bom_content(content, format, spec_version) which: - For JSON: uses json_schemer to validate against bom-<ver>.schema.json.</ver> - For XML: uses Nokogiri::XML::Schema with bom-<ver>.xsd.</ver> - Uses local schemas at schema/ and surfaces compact error messages; returns non-zero exit on failure. - Added json_schemer (~> 2.2) to cyclonedx-ruby.gemspec. - Required json_schemer in lib/cyclonedx/ruby.rb. - Updated features/help.feature to show the new flags. - Added features/validate.feature: - Validate XML BOM succeeds. - Validate JSON BOM succeeds. - Validate fails for invalid XML BOM (corrupts namespace and expects exit 1). - Infer format from file extension when using --validate-file and no --format provided. Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
- Add spec version selection end-to-end with a new --spec-version flag (default 1.7).
- Update JSON and XML outputs to honor the selected spec version.
- Update fixtures, help text, tests, and docs.
Files:
- lib/bom_helpers.rb:
- Added SUPPORTED_SPEC_VERSIONS, cyclonedx_xml_namespace helper.
build_bom now accepts spec_version and routes to:
- build_json_bom(gems, spec_version) sets specVersion to the provided version.
- build_bom_xml(gems, spec_version) sets xmlns to http://cyclonedx.org/schema/bom/<version>.</version>
- lib/bom_builder.rb:
- Added --spec-version with validation; default is 1.7.
- Pass @spec_version into build_bom(@Gems, @bom_output_format, @spec_version).
Signed-off-by: Peter H. Boling <[email protected]>
- Added --validate and --validate-file flags in Cyclonedx::BomBuilder. - After writing the BOM, if --validate is set, validate JSON via JSON Schema and XML via XSD with local files under schema/. - Added logic to validate an existing file with --validate --validate-file <path>, inferring format from extension unless --format is provided.</path> - In validate-only mode, project path isn’t required. - Added Cyclonedx::BomHelpers.validate_bom_content(content, format, spec_version) which: - For JSON: uses json_schemer to validate against bom-<ver>.schema.json.</ver> - For XML: uses Nokogiri::XML::Schema with bom-<ver>.xsd.</ver> - Uses local schemas at schema/ and surfaces compact error messages; returns non-zero exit on failure. - Added json_schemer (~> 2.2) to cyclonedx-ruby.gemspec. - Required json_schemer in lib/cyclonedx/ruby.rb. - Updated features/help.feature to show the new flags. - Added features/validate.feature: - Validate XML BOM succeeds. - Validate JSON BOM succeeds. - Validate fails for invalid XML BOM (corrupts namespace and expects exit 1). - Infer format from file extension when using --validate-file and no --format provided. Signed-off-by: Peter H. Boling <[email protected]>
- When provided, metadata.tools identifies this producer: - vendor: CycloneDX - name: cyclonedx-ruby - version: the gem’s version - Emitted for both JSON and XML, and only when the selected spec supports metadata (>= 1.2). - Help and README updated. - features/metadata_tools.feature (integration) - spec/cyclonedx/metadata_tools_spec.rb (unit, offline-safe) Signed-off-by: Peter H. Boling <[email protected]>
- Updated Cyclonedx::BomBuilder to add:
- CLI: --enrich-components to opt-in enrichment.
- Pass include_enrichment to build_bom(...).
- Note: This does not alter default outputs; enrichment only applies with the flag.
- Updated Cyclonedx::BomHelpers:
- build_bom supports include_enrichment and passes it to both JSON and XML builders.
- build_json_bom adds bom-ref and publisher via BomComponent when include_enrichment: true.
- build_bom_xml adds:
- bom-ref attribute on <component> using purl.
- <publisher>first_author</publisher> if authors are present (first item split on commas/ampersands).
- Added a small _get helper to read properties from either Hash or OpenStruct-like objects.
- Updated Cyclonedx::BomComponent:
- Added optional keyword parameter include_enrichment: false to hash_val.
- When true, include:
- "bom-ref": purl (if present)
- "publisher": first author (if present)
- Made property access robust across Hash/OpenStruct.
- Ensured hashes is an array with an object { alg, content } as expected by existing specs.
- Added spec/cyclonedx/component_enrichment_spec.rb:
- Verifies JSON has bom-ref and publisher when include_enrichment: true and omits them otherwise.
- Verifies XML has bom-ref attribute and <publisher> when include_enrichment: true and omits otherwise.
Signed-off-by: Peter H. Boling <[email protected]>
- Fix link to renamed LICENSE => LICENSE.txt Signed-off-by: Peter H. Boling <[email protected]>
Signed-off-by: Peter H. Boling <[email protected]>
pboling
force-pushed
the
feat/metadata-tools
branch
from
20ae716 to
d059d79
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CLI and wiring
--include-metadata- vendor: CycloneDX
- name: cyclonedx-ruby
- version: the gem’s version
--enrich-componentsJSON and XML emission
Component shape
Tests
Signed-off-by: Peter H. Boling [email protected]