Changelog

CHANGELOG

v11.5.0 (2025-10-31)

Features

v11.4.0 (2025-10-23)

Features

v11.3.0 (2025-10-22)

Bug Fixes

Features

v11.2.0 (2025-10-15)

Documentation

Features

v11.1.0 (2025-09-09)

Documentation

Features

v11.0.0 (2025-07-21)

Features

v10.5.0 (2025-07-20)

Features

v10.4.1 (2025-07-08)

Bug Fixes

v10.4.0 (2025-07-08)

Bug Fixes

Features

v10.3.0 (2025-06-30)

Documentation

Features

v10.2.0 (2025-06-10)

Bug Fixes

Features

v10.1.0 (2025-06-05)

Features

v10.0.2 (2025-06-02)

Bug Fixes

v10.0.1 (2025-05-10)

Bug Fixes

Documentation

v10.0.0 (2025-04-23)

Features

v9.1.1-rc.1 (2025-03-03)

v9.1.0 (2025-02-27)

Bug Fixes

Features

v9.0.2 (2025-02-26)

v9.0.0 (2025-02-26)

BREAKING Changes

  • Fix: model.vulnerability.VulnerabilityReference‘s properties are all mandatory (#790 via #792)

  • Refactor: Rename spdx.is_compund_expression -> spdx.is_expression (#779)

  • Behavior: BomRef affects comparison/hashing (#754 & #780)
     This is only a breaking change if you relied on ordering of elements.

  • Behavior: streamline comparison/hashing functions (#755) This is only a breaking change if you relied on ordering of elements.

  • Dependency: bump dependency py-serializable >=2 <3, was >=1.1.1 <2 (#775) This is only a breaking change if you have other packages depend on that specific version.

v8.9.0 (2025-02-25)

Documentation

Features

v8.8.0 (2025-02-12)

Features

v8.7.0 (2025-02-06)

Features

v8.6.0 (2025-02-04)

Features

v8.5.1 (2025-01-28)

Documentation

Features

v8.5.0 (2024-11-18)

Documentation

Features

v8.4.0 (2024-10-29)

Bug Fixes

Features

v8.3.0 (2024-10-26)

Documentation

Features

v8.2.1 (2024-10-24)

Bug Fixes

v8.2.0 (2024-10-22)

Features

v8.1.0 (2024-10-21)

Documentation

Features

v8.0.0 (2024-10-14)

Documentation

Features

BREAKING Changes

  • Removed cyclonedx.mode.ThisTool, utilize cyclonedx.builder.this.this_tool() instead. * Moved cyclonedx.model.Tool to cyclonedx.model.tool.Tool.

  • Property cyclonedx.mode.bom.BomMetaData.tools is of type cyclonedx.model.tool.ToolRepository now, was SortedSet[cyclonedx.model.Tool]. The getter will act accordingly; the setter might act in a backwards-compatible way.

  • Property cyclonedx.mode.vulnerability.Vulnerability.tools is of type cyclonedx.model.tool.ToolRepository now, was SortedSet[cyclonedx.model.Tool]. The getter will act accordingly; the setter might act in a backwards-compatible way.

  • Constructor cyclonedx.model.license.LicenseExpression() accepts optional argument acknowledgement only as key-word argument, no longer as positional argument.

Changes

  • Constructor of cyclonedx.model.bom.BomMetaData also accepts an instance of cyclonedx.model.tool.ToolRepository for argument tools. * Constructor of cyclonedx.model.bom.BomMetaData no longer adds this very library as a tool. Downstream users SHOULD add it manually, like my-bom.metadata.tools.components.add(cyclonedx.builder.this.this_component()).

Fixes

  • Deserialization of CycloneDX that do not include tools in the metadata are no longer unexpectedly modified/altered.

Added

Enabled Metadata Tools representation and serialization in accordance with CycloneDX 1.5

  • New class cyclonedx.model.tool.ToolRepository. * New function cyclonedx.builder.this.this_component() – representation of this very python library as a Component. * New function cyclonedx.builder.this.this_tool() – representation of this very python library as a Tool. * New function cyclonedx.model.tool.Tool.from_component().

Dependencies

  • Raised runtime dependency py-serializable>=1.1.1,<2, was >=1.1.0,<2.

v7.6.2 (2024-10-07)

Bug Fixes

Documentation

v7.6.1 (2024-09-18)

Bug Fixes

v7.6.0 (2024-08-14)

Features

v7.5.1 (2024-07-08)

Bug Fixes

v7.5.0 (2024-07-04)

Features

v7.4.1 (2024-06-12)

Bug Fixes

Documentation

v7.4.0 (2024-05-23)

Documentation

Features

v7.3.4 (2024-05-06)

Bug Fixes

v7.3.3 (2024-05-06)

Bug Fixes

v7.3.2 (2024-04-26)

Bug Fixes

v7.3.1 (2024-04-22)

Bug Fixes

v7.3.0 (2024-04-19)

Features

v7.2.0 (2024-04-19)

Features

v7.1.0 (2024-04-10)

Documentation

Features

v7.0.0 (2024-04-09)

Features

  • Support for CycloneDX v1.6 (``8bbdf46` <https://github.com/CycloneDX/cyclonedx-python-lib/commit/8bbdf461434ab66673a496a8305c2878bf5c88da>`_)

  • added draft v1.6 schemas and boilerplate for v1.6

  • re-generated test snapshots for v1.6

  • note bom.metadata.manufacture as deprecated

  • work on bom.metadata for v1.6

  • Deprecated .component.author. Added .component.authors and .component.manufacturer

  • work to add .component.omniborid - but tests deserialisation tests fail due to schema differences (.component.author not in 1.6)

  • work to get deserialization tests passing

v6.4.4 (2024-03-18)

Bug Fixes

v6.4.3 (2024-03-04)

Bug Fixes

v6.4.2 (2024-03-01)

Build System

Documentation

v6.4.1 (2024-01-30)

Bug Fixes

Documentation

v6.4.0 (2024-01-22)

Documentation

Features

v6.3.0 (2024-01-06)

Documentation

Features

v6.2.0 (2023-12-31)

Build System

Documentation

Features

v6.1.0 (2023-12-22)

Features

v6.0.0 (2023-12-10)

Features

Breaking Changes

  • Removed symbols that were already marked as deprecated (via #493)

  • Removed symbols in parser.* (#489 via #495)

  • Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)

  • Serialization of unsupported enum values might downgrade/migrate/omit them (#490 via #496) Handling might raise warnings if a data loss occurred due to omitting. The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered.

  • Serialization of any model.component.Component with unsupported type raises exception.serialization.SerializationOfUnsupportedComponentTypeException (#490 via #496) * Object model.bom_ref.BomRef‘s property value defaults to Null, was arbitrary UUID (#504 via #505) This change does not affect serialization. All bom-refs are guaranteed to have unique values on rendering.

  • Removed helpers from public API (#503 via #506)

Added

  • Basic support for CycloneDX 1.5 (#404 via #488) * No data models were enhanced nor added, yet. Pull requests to add functionality are welcome. * Existing enumerable got new cases, to reflect features of CycloneDX 1.5 (#404 via #488) * Outputters were enabled to render CycloneDX 1.5 (#404 via #488)

Tests

  • Created (regression/unit/integration/functional) tests for CycloneDX 1.5 (#404 via #488) * Created (regression/functional) tests for Enums’ handling and completeness (#490 via #496)

Misc

  • Bumped dependency py-serializable@^0.16, was @^0.15 (via #496)

API Changes — the details for migration

  • Added new sub-package exception.serialization (via #496)

  • Removed class models.ComparableTuple (#503 via #506)

  • Enum model.ExternalReferenceType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)

  • Removed function models.get_now_utc (#503 via #506) * Removed function models.sha1sum (#503 via #506)

  • Enum model.component.ComponentType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)

  • Removed model.component.Component.__init__()‘s deprecated optional kwarg namespace (via #493) Use kwarg group instead.

  • Removed model.component.Component.__init__()‘s deprecated optional kwarg license_str (via #493) Use kwarg licenses instead.

  • Removed deprecated method model.component.Component.get_namespace() (via #493)

  • Removed class models.dependency.DependencyDependencies (#503 via #506)

  • Removed model.vulnerability.Vulnerability.__init__()‘s deprecated optional kwarg source_name (via #493) Use kwarg source instead.

  • Removed model.vulnerability.Vulnerability.__init__()‘s deprecated optional kwarg source_url (via #493) Use kwarg source instead.

  • Removed model.vulnerability.Vulnerability.__init__()‘s deprecated optional kwarg recommendations (via #493) Use kwarg recommendation instead.

  • Removed model.vulnerability.VulnerabilityRating.__init__()‘s deprecated optional kwarg score_base (via #493) Use kwarg score instead.

  • Enum model.vulnerability.VulnerabilityScoreSource got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)

  • Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)

  • Removed deprecated function output.get_instance() (via #493) Use function output.make_outputter() instead. * Added new class output.json.JsonV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)

  • Added new item to dict output.json.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)

  • Added new class output.xml.XmlV1Dot5, to reflect CycloneDX 1.5 (#404 via #488)

  • Added new item to dict output.xml.BY_SCHEMA_VERSION, to reflect CycloneDX 1.5 (#404 via #488)

  • Removed class parser.ParserWarning (#489 via #495)

  • Removed class parser.BaseParser (#489 via #495)

  • Enum schema.SchemaVersion got new case V1_5, to reflect CycloneDX 1.5 (#404 via #488)

v5.2.0 (2023-12-02)

Documentation

Features

v5.1.1 (2023-11-02)

Bug Fixes

v5.1.0 (2023-10-31)

Documentation

Features

v5.0.1 (2023-10-24)

Documentation

v5.0.0 (2023-10-24)

Features

BREAKING CHANGES

  • Dropped support for python<3.8 (#436 via #441; enable #433)

  • Reworked license related models, collections, and factories (#365 via #466)

  • Behavior * Method model.bom.Bom.validate() will throw exception.LicenseExpressionAlongWithOthersException, if detecting invalid license constellation (#453 via #452)

  • Fixed tuple comparison when unequal lengths (via #461)

  • API * Enum schema.SchemaVersion is no longer string-like (#442 via #447)

  • Enum schema.OutputVersion is no longer string-like (#442 via #447)

  • Abstract class output.BaseOutput requires implementation of new method output_format (#446 via #447)

  • Abstract method output.BaseOutput.output_as_string() got new optional parameter indent (#437 via #458) * Abstract method output.BaseOutput.output_as_string() accepts arbitrary kwargs (via #458, #462)

  • Removed class factory.license.LicenseChoiceFactory (via #466) The old functionality was integrated into factory.license.LicenseFactory.

  • Method factory.license.LicenseFactory.make_from_string()‘s parameter name_or_spdx was renamed to value (via #466)

  • Method factory.license.LicenseFactory.make_from_string()‘s return value can also be a LicenseExpression (#365 via #466) The behavior imitates the old factory.license.LicenseChoiceFactory.make_from_string()

  • Renamed class module.License to module.license.DisjunctliveLicense (#365 via #466)

  • Removed class module.LicenseChoice (#365 via #466) Use dedicated classes module.license.DisjunctliveLicense and module.license.LicenseExpression instead

  • All occurrences of models.LicenseChoice were replaced by models.licenses.License (#365 via #466)

  • All occurrences of SortedSet[LicenseChoice] were specialized to models.license.LicenseRepository (#365 via #466)

Fixed

  • Serialization of multy-licenses (#365 via #466) * Detect unused “dependent” components in model.bom.validate() (via #464)

Changed

  • Updated latest supported list of supported SPDX license identifiers (via #433)

  • Shipped schema files are moved to a protected space (via #433)
     These files were never intended for public use.

  • XML output uses a default namespace, which makes results smaller. (#438 via #458)

Added

  • Support for Python 3.12 (via #460)

  • JSON- & XML-Validators (#432, #446 via #433, #448)
     The functionality might require additional dependencies, that can be installed with the extra “validation”. See the docs in section “Installation” for details. * JSON & XML can be generated in a more human-friendly form (#437, #438 via #458)

  • Type hints, typings & overloads for better integration downstream (via #463) * API * New function output.make_outputter() (via #469) This replaces the deprecated function output.get_instance().

  • New sub-package validation (#432, #446 via #433, #448, #469, #468, #469)

  • New class exception.MissingOptionalDependencyException (#432 via #433) * New class exception.LicenseExpressionAlongWithOthersException (#453 via #452) * New dictionaries output.{json,xml}.BY_SCHEMA_VERSION (#446 via #447) * Existing implementations of class output.BaseOutput now have a new method output_format (#446 via #447)

  • Existing implementations of method output.BaseOutput.output_as_string() got new optional parameter indent (#437 via #458)

  • Existing implementations of method output.BaseOutput.output_to_file() got new optional parameter indent (#437 via #458) * New method factory.license.LicenseFactory.make_with_expression() (via #466)

  • New class model.license.DisjunctiveLicense (#365 via #466)

  • New class model.license.LicenseExpression (#365 via #466)

  • New class model.license.LicenseRepository (#365 via #466)

  • New class serialization.LicenseRepositoryHelper (#365 via #466)

Deprecated

  • Function output.get_instance() might be removed, use output.make_outputter() instead (via #469)

Tests

  • Added validation tests with official CycloneDX schema test data (#432 via #433)

  • Use proper snapshots, instead of pseudo comparison (#437 via #464)

  • Added regression test for bug #365 (via #466, #467)

Misc

  • Dependencies: bumped py-serializable@^0.15.0, was @^0.11.1 (via #458, #463, #464, #466)

  • Style: streamlined quotes and strings (via #472)

  • Chore: bumped internal dev- and QA-tools (#436 via #441, #472)

  • Chore: added more QA tools to prevent common security issues (via #473)

v4.2.3 (2023-10-16)

Bug Fixes

v4.2.2 (2023-09-14)

Bug Fixes

Documentation

v4.2.1 (2023-09-06)

Bug Fixes

v4.2.0 (2023-09-06)

Features

v4.1.0 (2023-08-27)

Documentation

Features

v4.0.1 (2023-06-28)

Bug Fixes

Build System

Documentation

v4.0.0 (2023-03-20)

Bug Fixes

Features

Breaking Changes

  • Large portions of this library have been re-written for this release and many methods and contracts have changed.

v3.1.5 (2023-01-12)

Bug Fixes

v3.1.4 (2023-01-11)

Bug Fixes

Features

v3.1.3 (2023-01-07)

Bug Fixes

v3.1.2 (2023-01-06)

Bug Fixes

Documentation

v3.1.1 (2022-11-28)

Bug Fixes

v3.1.0 (2022-09-15)

Features

v2.7.1 (2022-08-01)

Bug Fixes

v2.7.0 (2022-07-21)

Features

v2.6.0 (2022-06-20)

Features

v2.5.2 (2022-06-15)

Bug Fixes

v2.5.1 (2022-06-10)

Bug Fixes

v2.5.0 (2022-06-10)

Build System

Documentation

Features

v2.4.0 (2022-05-17)

Features

v2.3.0 (2022-04-20)

Features

v2.2.0 (2022-04-12)

Features

v2.1.1 (2022-04-05)

Bug Fixes

v2.1.0 (2022-03-28)

Features

v2.0.0 (2022-02-21)

BREAKING Changes

  • BREAKING CHANGE: Adopt PEP-3102

  • BREAKING CHANGE: Optional Lists are now non-optional Sets

  • BREAKING CHANGE: Remove concept of DEFAULT schema version - replaced with LATEST schema version

  • BREAKING CHANGE: Added BomRef data type

Bug Fixes

Features

Breaking Changes

  • Adopt PEP-3102

  • Optional Lists are now non-optional Sets

  • Remove concept of DEFAULT schema version - replaced with LATEST schema version

  • Added BomRef data type

v1.3.0 (2022-01-24)

Features

v1.2.0 (2022-01-24)

Features

v1.1.1 (2022-01-19)

Bug Fixes

v1.1.0 (2022-01-13)

Features

v1.0.0 (2022-01-13)

v0.12.3 (2021-12-15)

Bug Fixes

v0.12.2 (2021-12-09)

Bug Fixes

v0.12.1 (2021-12-09)

Bug Fixes

v0.12.0 (2021-12-09)

Bug Fixes

Features

v0.11.1 (2021-11-10)

Bug Fixes

v0.11.0 (2021-11-10)

Features

v0.10.2 (2021-10-21)

Bug Fixes

v0.10.1 (2021-10-21)

Bug Fixes

v0.10.0 (2021-10-20)

Features

v0.9.1 (2021-10-19)

v0.9.0 (2021-10-19)

Bug Fixes

Features

v0.8.3 (2021-10-14)

Bug Fixes

v0.8.2 (2021-10-14)

Bug Fixes

v0.8.1 (2021-10-12)

Bug Fixes

v0.8.0 (2021-10-12)

Features

v0.7.0 (2021-10-11)

Features

v0.6.2 (2021-10-11)

v0.6.1 (2021-10-11)

Bug Fixes

v0.6.0 (2021-10-11)

Features

v0.5.0 (2021-10-11)

Bug Fixes

Build System

Features

v0.4.1 (2021-09-27)

Bug Fixes

Build System

v0.4.0 (2021-09-16)

Bug Fixes

Features

v0.3.0 (2021-09-15)

Features

v0.2.0 (2021-09-14)

Bug Fixes

v0.1.0 (2021-09-13)

Features

v0.0.11 (2021-09-10)

Bug Fixes

v0.0.10 (2021-09-08)

Bug Fixes

v0.0.9 (2021-09-08)

v0.0.8 (2021-09-08)

Bug Fixes

v0.0.7 (2021-09-08)

Bug Fixes

v0.0.6 (2021-09-08)

Bug Fixes

v0.0.5 (2021-09-08)

v0.0.4 (2021-09-08)

v0.0.3 (2021-09-08)

v0.0.2 (2021-09-08)

  • Initial Release