Merge branch 'main' into license-file

Author: Shnatsel

.github/workflows/nix.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Install Nix
-      uses: DeterminateSystems/nix-installer-action@v7
+      uses: DeterminateSystems/nix-installer-action@v9
     - name: Run the Magic Nix Cache
       uses: DeterminateSystems/magic-nix-cache-action@v2
 

.gitignore

@@ -4,8 +4,10 @@
 # SBOM documents
 **/bom.xml
 **/*.cdx.xml
+!cyclonedx-bom/tests/examples/**/*.cdx.xml
 **/bom.json
 **/*.cdx.json
+!cyclonedx-bom/tests/examples/**/*.cdx.json
 
 # Nix Flake
 /.direnv/

CONTRIBUTING.md

@@ -0,0 +1,62 @@
+# Contributing
+
+Contributions are welcome!
+
+But please read the
+[CycloneDX contributing guidelines](https://github.com/CycloneDX/.github/blob/master/CONTRIBUTING.md)
+first.
+
+## Reporting an issue
+
+This project uses GitHub issues to manage the issues. Open an issue directly in GitHub.
+
+If you believe you found a bug, and it's likely possible, please indicate a way to reproduce it, what you are seeing and what you would expect to see.
+
+## Asking questions
+
+We have a `#rust-cargo` Channel in the CycloneDX Slack (link in the [`README.md`](README.md)).
+
+## Pull Requests
+
+Pull requests are welcome.
+Please follow the steps outlined below and make sure to check clippy, format the code and check test output.
+
+### Sign off your commits
+
+Please sign off your commits,
+to show that you agree to publish your changes under the current terms and licenses of the project.
+
+```shell
+git commit --signoff ...
+```
+   
+## Building and developing the project
+
+### Build
+
+```shell
+cargo +stable build --verbose
+```
+
+### Test
+
+Run the tests:
+
+```shell
+cargo test
+```
+
+### Coding standards
+
+Check for deviations from coding standards:
+
+```shell
+cargo fmt -- --check
+cargo clippy --all-targets
+```
+
+Apply coding standards via:
+
+```shell
+cargo fmt
+```

Cargo.lock

@@ -8,13 +8,20 @@
 
 # CycloneDX Rust (Cargo) Plugin
 
-The CycloneDX module for Rust (Cargo) creates a valid CycloneDX Software Bill-of-Material (SBOM) containing an
-aggregate of all project dependencies. OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that
-provides advanced supply chain capabilities for cyber risk reduction
+The CycloneDX module for Rust (Cargo) creates a valid CycloneDX Software Bill of Materials (SBOM) containing an
+aggregate of all project dependencies.
+OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard providing advanced supply chain capabilities for cyber risk reduction.
+
+## Structure
+
+This repository contains two separate projects:
+
+- [`cyclonedx-bom`](./cyclonedx-bom/README.md) is a Rust library to read and write CycloneDX SBOMs to and from Rust structs.
+- [`cargo-cyclonedx`](./cargo-cyclonedx/README.md) is a Rust application, which generates CycloneDX SBOMs for Cargo based Rust projects (it uses `cyclonedx-bom` for that purpose).
 
 ## Usage
 
-Execute CycloneDX from within a Rust project directory containing Cargo.toml.
+Execute `cargo-cyclonedx` from within a Rust project directory containing Cargo.toml.
 
 ### Installing
 
@@ -34,6 +41,11 @@ cargo install cargo-cyclonedx
 cargo cyclonedx
 ```
 
+## Contributing
+
+Contributions are welcome.
+See our [`CONTRIBUTING.md`](CONTRIBUTING.md) for details.
+
 ## Copyright & License
 
 CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.

README.md

@@ -23,16 +23,16 @@ lto = "thin"
 [dependencies]
 anyhow = "1.0.75"
 cargo_metadata = "0.18.1"
-clap = { version = "4.4.8", features = ["derive"] }
+clap = { version = "4.4.11", features = ["derive"] }
 cyclonedx-bom = { version = "0.4.3", path = "../cyclonedx-bom" }
 env_logger = "0.10.0"
 log = "0.4.20"
 once_cell = "1.18.0"
 pathdiff = { version = "0.2.1", features = ["camino"] }
-percent-encoding = "2.3.0"
+percent-encoding = "2.3.1"
 purl = { version = "0.1.2", default-features = false, features = ["package-type"] }
 regex = "1.9.3"
-serde = { version = "1.0.192", features = ["derive"] }
+serde = { version = "1.0.193", features = ["derive"] }
 thiserror = "1.0.48"
 validator = { version = "0.16.1" }
 

cargo-cyclonedx/Cargo.toml

@@ -8,9 +8,9 @@
 
 # `cargo-cyclonedx`
 
-The [CycloneDX](https://cyclonedx.org/) plugin for `cargo` creates a [custom `cargo` subcommand](https://doc.rust-lang.org/cargo/reference/external-tools.html#custom-subcommands) that generates a Software Bill-of-Materials (SBOM) file that describes the `cargo` project.
+This [CycloneDX](https://cyclonedx.org/) plugin for `cargo` creates a [custom `cargo` subcommand](https://doc.rust-lang.org/cargo/reference/external-tools.html#custom-subcommands) that generates a Software Bill of Materials (SBOM) file that describes the `cargo` project.
 
-CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.
+CycloneDX is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
 
 ## Usage
 
@@ -88,6 +88,10 @@ This produces a `bom.xml` file adjacent to every `Cargo.toml` file that exists i
           Print version
 ```
 
+## Contributing
+
+See [CONTRIBUTING](../CONTRIBUTING.md) for details.
+
 ## Copyright & License
 
 CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.

cargo-cyclonedx/README.md

@@ -369,7 +369,7 @@ impl SbomGenerator {
                         license,
                         err,
                     );
-                    licenses.push(LicenseChoice::License(License::named_license(license)));
+                    licenses.push(LicenseChoice::License(License::named_license(license)))
                 }
             }
         }

cargo-cyclonedx/src/generator.rs

@@ -15,11 +15,12 @@ rust-version.workspace = true
 
 [dependencies]
 base64 = "0.21.2"
-http = "1.0.0"
+fluent-uri = "0.1.4"
 once_cell = "1.18.0"
+ordered-float = { version = "4.2.0", default-features = false }
 packageurl = "0.3.0"
 regex = "1.9.3"
-serde = { version = "1.0.192", features = ["derive"] }
+serde = { version = "1.0.193", features = ["derive"] }
 serde_json = "1.0.108"
 spdx = "0.10.2"
 thiserror = "1.0.48"

cyclonedx-bom/Cargo.toml

@@ -10,13 +10,17 @@
 
 The [CycloneDX](https://cyclonedx.org/) library provides JSON and XML serialization and derserialization of Software Bill-of-Materials (SBOM) files.
 
-CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.
+CycloneDX is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
 
 The library is intended to enable developers to:
 
 - Construct SBOM documents that conform the CycloneDX specification
 - Parse and validate JSON and XML SBOM documents
 - Perform modifications to BOM documents (e.g. merging multiple BOMs using a variety of algorithms)
+         
+## Supported CycloneDX versions
+
+This library currently supports CycloneDX 1.3 and 1.4.
 
 ## Usage
 
@@ -83,6 +87,14 @@ assert_eq!(
 );
 ```
 
+## Verification and Validation
+
+See [README](./tests/README.md) for details.
+
+## Contributing
+
+See [CONTRIBUTING](../CONTRIBUTING.md) for details.
+
 ## Copyright & License
 
 CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.