Merge remote-tracking branch 'origin/master' into Roche-CSI-main

# Conflicts:
#	.github/workflows/maven.yml
#	pom.xml

Author: Greg Gibeling

.gitattributes

@@ -0,0 +1,10 @@
+* text=auto
+
+# This file is used for computing hashes which must not differ by platform
+src/test/resources/hashtest.txt text eol=lf
+
+# Shell scripts must always use LF even on Windows
+*.sh  text eol=lf
+
+# These are explicitly Windows files and should use crlf
+*.bat  text eol=crlf

.github/release-drafter.yml

@@ -0,0 +1,65 @@
+# Configuration for Release Drafter: https://github.com/toolmantim/release-drafter
+name-template: $NEXT_PATCH_VERSION
+tag-template: cyclonedx-core-java-$NEXT_MINOR_VERSION
+version-template: $MAJOR.$MINOR.$PATCH
+
+# Emoji reference: https://gitmoji.carloscuesta.me/
+categories:
+  - title: ":boom: Breaking changes"
+    labels: 
+      - breaking
+  - title: 🚨 Removed
+    label: removed
+  - title: ":tada: Major features and improvements"
+    labels:
+      - major-enhancement
+      - major-rfe
+  - title: 🐛 Major bug fixes
+    labels:
+      - major-bug
+  - title: ⚠️ Deprecated
+    label: deprecated
+  - title: 🚀 New features and improvements
+    labels:
+      - enhancement
+      - feature
+      - rfe
+  - title: 🐛 Bug Fixes
+    labels:
+      - bug
+      - fix
+      - bugfix
+      - regression
+  - title: ":construction_worker: Changes for plugin developers"
+    labels:
+      - developer 
+  # Default label used by Dependabot
+  - title: 📦 Dependency updates
+    label: 
+      - dependencies
+      - dependency
+      - dependency-upgrade
+  - title: 📝 Documentation updates
+    label: documentation
+  - title: 👻 Maintenance
+    labels: 
+      - chore
+      - internal
+      - maintenance
+  - title: 🔧 Build
+    label: build           
+  - title: 🚦 Tests
+    labels: 
+      - test
+      - tests
+exclude-labels:
+  - reverted
+  - no-changelog
+  - skip-changelog
+  - invalid
+
+change-template: '- $TITLE ([#$NUMBER]($URL)) @$AUTHOR'
+
+template: |
+  <!-- Optional: add a release summary here -->
+  $CHANGES

.github/workflows/codeql-analysis.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2.3.4
+      uses: actions/checkout@v4.1.1
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -38,7 +38,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -49,7 +49,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -63,4 +63,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/docs.yml

@@ -0,0 +1,29 @@
+name: Publish documentation
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+jobs:
+  build-documentation:
+    name: "Build documentation"
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/[email protected]
+      - name: Set up JDK 8
+        uses: actions/setup-java@v3
+        with:
+          distribution: temurin
+          java-version: 8
+      - name: Build with Maven
+        run: mvn package --file pom.xml
+
+      - name: Deploy documentation
+        uses: JamesIves/github-pages-deploy-action@releases/v3
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: gh-pages
+          FOLDER: target/apidocs

.github/workflows/maven.yml

@@ -0,0 +1,22 @@
+name: Maven CI
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        os: [ ubuntu-latest ]
+        java-version: [ 8 ]
+        distro: [ 'zulu', 'temurin' ]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/[email protected]
+    - name: Set up JDK ${{ matrix.java-version }}
+      uses: actions/setup-java@v3
+      with:
+        distribution: ${{ matrix.distro }}
+        java-version: ${{ matrix.java-version }}
+    - name: Build with Maven
+      run: mvn package --file pom.xml

.github/workflows/release-drafter.yml

@@ -0,0 +1,19 @@
+name: Release Drafter
+on:
+  push:
+    branches:
+      - master
+
+permissions:
+  contents: read
+
+jobs:
+  update_release_draft:
+    permissions:
+      # write permission is required to create a github release
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: release-drafter/release-drafter@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

CHANGELOG.md

@@ -0,0 +1,28 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [7.1.0] - 2022-02-24
+### Added
+- `CHANGELOG.md`, due to increasing major releases, a change log has been added to help further elaborate
+on why a release occurred, when, and major points related to it.
+
+### Removed
+- `PropertiesDeserializer.java` and the associated test contributed from Lockheed Martin. 
+  The changed was predicated by a license header that is incompatible with the Apache 2.0 License, and
+  causing some consumers grief. More at [the issue where this was reported](https://github.com/CycloneDX/cyclonedx-core-java/issues/178).
+  Of note, a major release was skipped as this functionality was controlled by a property, and had to be opted in to.
+  
+## [7.0.0] - 2022-02-22
+### Changed
+- `toJsonObject` was changed to `toJsonNode`, removing a dependency on org.glassfish json-api, as well as javax json-api.
+This was done because those dependencies are GPLv2 with Classpath Exception, and while they can be likely used with
+  minimal grief, they still raise eyebrows due to the license being associated with GPLv2. This method was modified to
+  return the Jackson equivalent of `JsonObject`.
+  
+## [6.0.0] - 2022-02-16
+### Added
+- Support for CycloneDX 1.4 Schema in XML, JSON and protobuf (schema only for protobuf).
+- Notable support of `vulnerabilities` object, previously an extension. Limited support for the extension left in place.

README.md

@@ -11,8 +11,8 @@ CycloneDX Core (Java)
 =========
 
 The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, 
-validating, and parsing SBOMs. CycloneDX is a lightweight software bill of materials (SBOM) specification designed for 
-use in application security contexts and supply chain component analysis.
+validating, and parsing SBOMs. OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced
+supply chain capabilities for cyber risk reduction
 
 Maven Usage
 -------------------
@@ -21,7 +21,7 @@ Maven Usage
 <dependency>
     <groupId>org.cyclonedx</groupId>
     <artifactId>cyclonedx-core-java</artifactId>
-    <version>5.0.5</version>
+    <version>8.0.3</version>
 </dependency>
 ```
 
@@ -32,12 +32,19 @@ as well as the output format options. Use the latest possible version of this li
 the CycloneDX version supported by the target system.
 
 | Version | Schema Version | Format(s) |
-| ------- | ----------------- | --------- |
-| 5.x | CycloneDX v1.3 | XML/JSON |
-| 4.x | CycloneDX v1.2 | XML/JSON |
-| 3.x | CycloneDX v1.2 | XML/JSON |
-| 2.x | CycloneDX v1.1 | XML |
-| 1.x | CycloneDX v1.0 | XML |
+|---------|----------------|-----------|
+| 8.x     | CycloneDX v1.5 | XML/JSON  |
+| 7.x     | CycloneDX v1.4 | XML/JSON  |
+| 6.x     | CycloneDX v1.4 | XML/JSON  |
+| 5.x     | CycloneDX v1.3 | XML/JSON  |
+| 4.x     | CycloneDX v1.2 | XML/JSON  |
+| 3.x     | CycloneDX v1.2 | XML/JSON  |
+| 2.x     | CycloneDX v1.1 | XML       |
+| 1.x     | CycloneDX v1.0 | XML       |
+
+## Library API Documentation
+
+The library API documentation can be viewed online at [https://cyclonedx.github.io/cyclonedx-core-java/](https://cyclonedx.github.io/cyclonedx-core-java/).
 
 Copyright & License
 -------------------