Source: sonatype-nexus-community/jake#72

Validated by running:

pip install cyclonedx-python-lib==0.12.2 --only-binary=:all:

Looking in indexes: https://OBFUSCATED/repository/pupy/simple
Collecting cyclonedx-python-lib==0.12.2
  Using cached https://OBFUSCATED/repository/pupy/packages/cyclonedx-python-lib/0.12.2/cyclonedx_python_lib-0.12.2-py3-none-any.whl (128 kB)
Collecting types-toml<0.11.0,>=0.10.0
  Using cached https://OBFUSCATED/repository/pupy/packages/types-toml/0.10.1/types_toml-0.10.1-py3-none-any.whl (2.1 kB)
Collecting packageurl-python>=0.9
  Using cached https://OBFUSCATED/repository/pupy/packages/packageurl-python/0.9.6/packageurl_python-0.9.6-py3-none-any.whl (23 kB)
ERROR: Could not find a version that satisfies the requirement requirements_parser>=0.2 (from cyclonedx-python-lib) (from versions: none)
ERROR: No matching distribution found for requirements_parser>=0.2

Note from https://pypi.org/project/requirements-parser/0.2.0/#files:

As called out in #151 by @jkowalleck, 1.0 is old and very sparse compared to the more recent versions of the CycloneDX schema.

This ticket aims to collect any feedback from the community as to whether:

• This library is used to product BOMs in schema version 1.0
• Anyone has any strong feelings / requirements for us to keep supporting 1.0

currently the code goes trough a pep8 test via flake8 that must be passed in CI

as a developer i want a tool available, that automatically fixes my code according to pep8

options:

• autopep8: https://pypi.org/project/autopep8/
• black: https://pypi.org/project/black/
• yapf: https://pypi.org/project/yapf/

I, @jkowalleck, prefer autopep8 as it fixes pep8 only. black is to much opinionated.

Thanks for this!

I know poetry makes it easy lock every little thing down, and it makes testing easier, higher assurance, yadda yadda, but practically, it's quite inflexible when the effective ranges are very small... and on a self-declared lib to boot.

Specifically, hooray for declaring a setuptools dependency: so many pkgutils-using packages forget to.

However the size of the range covered by setuptools ^50.3.2 makes it relatively hard to appease (as in: exactly 1 version).

Selfishly, this is blocking me downstream in packaging this and ultimately jake 1.x for conda-forge.

The same goes for importlib_metadata which unfortunately gets pinned in a number of packages, and seems to change a lot for a backport package.

Anyhow: would the maintainers be open to a PR that:

• loosened the range of e.g. setuptools to be something more like >=50.3.2,<59
• added a CI test excursion for the lowest and highest bound

In the meantime, I may try patching the pin over on conda-forge and running the full test suite...

I'm planning on adding library API documentation and using pdoc. Any thoughts/opinions on this from anyone? @madpah

Multiple issues in jake relate to issues when using jake pre 1.0.0 and conda. jake >=1.0.0 no longer has conda support as it relies on this library (cyclonedx-python-lib) for parsing data sources.

Issues related:

• sonatype-nexus-community/jake#50
• sonatype-nexus-community/jake#66
• sonatype-nexus-community/jake#67

This feature should add support for:

• Parsing conda list output
• Parsing conda lock files (see sonatype-nexus-community/jake#66)

According to specification 1.4, we still lack support in for the following:

• component.swid
• component.modified (DEPRECATED since schema version 1.1)
• component.pedigree
• component.components
• component.evidence

This feature will add support in the model for the above items, EXCLUDING modified, and appropriate outputs to JSON and XML.

#169 also pointed out the lack of support (in XML) for:

• component.supplier
• component.publisher
• component.description
• component.scope
• component.copyright
• component.components
• component.evidence

Raised in #51, an example of a valid Conda package URL (https://conda.anaconda.org/conda-forge/linux-64/_libgcc_mutex-0.1-conda_forge.tar.bz2#d7c89558ba9fa0495403155b64376d81) has been provided which breaks our parsing logic.

Specification for Conda packages is here, but this doesn't seem to be deterministic in all cases unfortunately.

@madpah a huge change i would suggest is: all optional lists become non-optional sets.
based on https://github.com/CycloneDX/cyclonedx-python-lib/pull/148/files#r798309225

this way a lot of problems would be solved:

• no need for implementing object.add_<list-property>() all the time
• the order of the list-properties would no longer matter - no sorting, no whatsoever
• serializers/normalizers would always have a reliable non-optional data type to work with (remeber: an empty set is falsy - for easy size-checks)
• additionally: use the set-literal: instead of writing set([...]) simply write {...} - if this was needed at any place, still

Originally posted by @jkowalleck in #148 (comment)

Raising here from CycloneDX/cyclonedx-python#40 given the split into this library.

CycloneDX schema version 1.2+ supports bom.dependencies which can be used to generate dependency tree graphs from CycloneDX BOMs.

This library currently has no support for bom.dependencies.

Taken from CycloneDX/cyclonedx-python#194.

This library currently supports requirements.txt files according to PEP-508 specification.

PEP-508 does not cater for cryptographic hashes being included in requirements.txt files.

However, since version 8.0 of pip, hashes and checking of hashes during dependency installation has been possible - see here.

This library currently defaults to schema version 1.3. This feature will update this to be 1.4.

packageurl-python is causing a lot of trouble in older versions. versions we are not currently running/testing in the CI.

packageurl-python is doing a stupid amount of effort to still support python2.
and therefore breaks in python3 sometimes.

i suggest to raise the dependency to >=0.9 to prevent unexpectedissues downstream

this one is related/caused by #44

The CPE (https://nvd.nist.gov/products/cpe) is still often used to identify vulnerabilities in software and also used by Dependency Track to identify vulnerabilities.

I am currently generating a cyclonedx sbom file with this library with input from various sources where the sources sometimes include the CPE value for the component. The sbom then is imported into DT and other tools to identify vulnerabilities.

Currently I cannot add the CPE to the sbom using this library as the CPE is not supported in the component.

Pull request for this feature already added.

As identified in #67, this library does not yet support Services.

This feature will add support to allow BOMs containing Services for schema versions that support this.

After discussions between the maintainers regarding how to consider cyclonedx-conan adopting this library, it became clear that this library should just contain:

• Models
• Output Serializers
  (based on what it contains today)

This means that the Parsers (all of which are specific to Python today) should be relocated to cyclonedx-python (which consumes this library).

As discussed in #67, version became optional for a Component in 1.4.

The fallback should be an empty string for versions prior to 1.4 if a Component has no version.

This is currently failing with release 1.3.0.

We're getting a large number of test fixtures now and and this ticket will re-organise them into sub-directories:

tests/fixtures/<FORMAT>/<SCHEMA_VERSION>/<FIXTURE_NAME>.<EXTENSION>

Where:

• <FORMAT> is json or xml
• <SCHEMA_VERSION> is decimalised schema version - e.g. 1.4
• <FIXTURE_NAME> remains a suitable descriptive name
• <EXTENSION> remains either json or xml

poetry failed to install in CI from time to time. the a administrator/mintainer needs to click the "re-run all jobs" button to kick tests manually. see https://github.com/CycloneDX/cyclonedx-python-lib/runs/4470098505?check_suite_focus=true#step:11:40
this seams to be caused by the poetry cache.

as a maintainer i want the poetry install to pass, so that dont have to re-run them manually.

See https://github.com/CycloneDX/cyclonedx-python-lib/runs/4595932920?check_suite_focus=true.

This appears to be the case since #93 was merged.

FYI: @jkowalleck

When trying to create a SBOM I get below failure

Pipfile.lock has dependencies under default that do not have the index property

cyclonedx-py --pip --pip-file Pipfile.lock -o bom/bom.xml 
Traceback (most recent call last):
  File "/usr/local/bin/cyclonedx-py", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 232, in main
    CycloneDxCmd(args).execute()
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 87, in execute
    output = self.get_output()
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 51, in get_output
    parser = self._get_input_parser()
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 200, in _get_input_parser
    return PipEnvFileParser(pipenv_lock_filename=pipfile_lock_file)
  File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/pipenv.py", line 56, in __init__
    super(PipEnvFileParser, self).__init__(pipenv_contents=r.read())
  File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/pipenv.py", line 38, in __init__
    if package_data['index'] == 'pypi':
KeyError: 'index'

Snippet from my Pipfile.lock, FastAPi is only dependency found in my Pipfile and is only one with index

{
    "_meta": {
        "hash": {
            "sha256": "1aa5cc0cbb58a7e87ec73a2cb334c49b65b31a165451fef0****"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.9"
        },
        "sources": [
            {
                "name": "pypi",
                "url": "https://artifactory.jfrog.*****.com/artifactory/api/pypi/pypi/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "anyio": {
            "hashes": [
                "sha256:56ceaeed2877723578b1341f4f68c29081db189cfb40a97d1922b9513f6d7db6",
                "sha256:8eccec339cb4a856c94a75d50fc1d451faf32a05ef406be462e2efc59c9838b0"
            ],
            "markers": "python_full_version >= '3.6.2'",
            "version": "==3.3.3"
        },
        "asgiref": {
            "hashes": [
                "sha256:4ef1ab46b484e3c706329cedeff284a5d40824200638503f5768edb6de7d58e9",
                "sha256:ffc141aa908e6f175673e7b1b3b7af4fdb0ecb738fc5c8b88f69f055c2415214"
            ],
            "markers": "python_full_version >= '3.6.0'",
            "version": "==3.4.1"
        },
        "certifi": {
            "hashes": [
                "sha256:78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872",
                "sha256:d62a0163eb4c2344ac042ab2bdf75399a71a2d8c7d47eac2e2ee91b9d6339569"
            ],
            "version": "==2021.10.8"
        },
        "charset-normalizer": {
            "hashes": [
                "sha256:e019de665e2bcf9c2b64e2e5aa025fa991da8720daa3c1138cadd2fd1856aed0",
                "sha256:f7af805c321bfa1ce6714c51f254e0d5bb5e5834039bc17db7ebe3a4cec9492b"
            ],
            "markers": "python_version >= '3'",
            "version": "==2.0.7"
        },
        "click": {
            "hashes": [
                "sha256:353f466495adaeb40b6b5f592f9f91cb22372351c84caeb068132442a4518ef3",
                "sha256:410e932b050f5eed773c4cda94de75971c89cdb3155a72a0831139a79e5ecb5b"
            ],
            "markers": "python_full_version >= '3.6.0'",
            "version": "==8.0.3"
        },
        "fastapi": {
            "hashes": [
                "sha256:66da43cfe5185ea1df99552acffd201f1832c6b364e0f4136c0a99f933466ced",
                "sha256:a36d5f2fad931aa3575c07a3472c784e81f3e664e3bb5c8b9c88d0ec1104f59c"
            ],
            "index": "pypi",
            "version": "==0.70.0"
        },
...

I also get error if I try to create a requirements.txt from Pipfile and scan that

pipenv lock -r > requirements.txt 
cyclonedx-py -r -rf requirements.txt -o bom/bom.xml

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/packaging/requirements.py", line 98, in __init__
    req = REQUIREMENT.parseString(requirement_string)
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1654, in parseString
    raise exc
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1644, in parseString
    loc, tokens = self._parse( instring, 0 )
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1402, in _parseNoCache
    loc,tokens = self.parseImpl( instring, preloc, doActions )
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 3417, in parseImpl
    loc, exprtokens = e._parse( instring, loc, doActions )
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1402, in _parseNoCache
    loc,tokens = self.parseImpl( instring, preloc, doActions )
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 3739, in parseImpl
    return self.expr._parse( instring, loc, doActions, callPreParse=False )
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1402, in _parseNoCache
    loc,tokens = self.parseImpl( instring, preloc, doActions )
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 3400, in parseImpl
    loc, resultlist = self.exprs[0]._parse( instring, loc, doActions, callPreParse=False )
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1406, in _parseNoCache
    loc,tokens = self.parseImpl( instring, preloc, doActions )
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 2711, in parseImpl
    raise ParseException(instring, loc, self.errmsg, self)
pkg_resources._vendor.pyparsing.ParseException: Expected W:(abcd...) (at char 0), (line:1, col:1)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/cyclonedx-py", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 232, in main
    CycloneDxCmd(args).execute()
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 87, in execute
    output = self.get_output()
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 51, in get_output
    parser = self._get_input_parser()
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 216, in _get_input_parser
    return RequirementsFileParser(requirements_file=requirements_file)
  File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/requirements.py", line 60, in __init__
    super(RequirementsFileParser, self).__init__(requirements_content=r.read())
  File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/requirements.py", line 32, in __init__
    for requirement in requirements:
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 3080, in parse_requirements
    yield Requirement(line)
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 3090, in __init__
    super(Requirement, self).__init__(requirement_string)
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/packaging/requirements.py", line 100, in __init__
    raise InvalidRequirement(
pkg_resources.extern.packaging.requirements.InvalidRequirement: Parse error at "'-i https'": Expected W:(abcd...)

requirements.txt

#
# These requirements were autogenerated by pipenv
# To regenerate from the project's Pipfile, run:
#
#    pipenv lock --requirements
#

-i https://artifactory.jfrog.*****.com/artifactory/api/pypi/pypi/simple
anyio==3.3.3; python_full_version >= '3.6.2'
asgiref==3.4.1; python_full_version >= '3.6.0'
certifi==2021.10.8
charset-normalizer==2.0.7; python_version >= '3'
click==8.0.3; python_full_version >= '3.6.0'
fastapi==0.70.0
...

Environment

docker image
python:3.9-slim

pip freeze 
pipenv==2021.5.29
cyclonedx-bom==1.2.0
cyclonedx-python-lib==0.8.1

Very minor issue noted here.

If a BOM is has ZERO Components, components is still included in the generated BOM as an empty array.

Not invalid, but not tidy.

Currently our models rely on the consumer to specifiy/provide a value for a Component or Vulnerability's bom-ref.

In previous versions of this library, the purl was automatically used for this purpose (for Component) but this was removed as a Component may not have a purl.

As pointed out in sonatype-nexus-community/jake#91, for Vulnerabilities to be able to specify which Components are affected (in 1.4), Components must have a bom-ref - see here.

It's worth noting that bom-ref is optional within the schema for both Component and Vulnerability.

This Feature will look to assign a UUID as the bom-ref if a value has not been provided by the consumer.

At the moment I can't see a way of specifying the namespace or subpath for a component purl.

https://github.com/package-url/purl-spec#purl

I hit this limitation trying to use this library for the Conan implementation and not being about to set the purl correctly.

as a <> i want build artifacts added to a release, so PyPI is not my single point of source.

use https://github.com/actions/upload-release-asset
to add the wheel(build/*.whl) and source (build/*.tar.gz) artifacts to the release

how to do it: see an example here: https://github.com/k4cg/nichtparasoup/blob/3.0-dev/.github/workflows/release.yaml

build artifacts to store

• dist release
• source release

Following #106, decision has been taken to move documentation to RTD.

Work should be completed as part of the 1.4 spec overhaul.

In order to deliver on the answer provided in #26, we need to extend the support in this library to allow for externalReferences on Component instances.

See https://cyclonedx.org/use-cases/#external-references

As identified in #67, this library does not yet support properties at the bom root level.

This feature will add support to allow a BOM to have properties.

As identified in #67, this library does not yet support external references at the BOM level.

This feature will add support for External References at the root BOM.

This issue was originally raised here but has been relocated to this project as it is now the cyclonedx-python-lib that implements the specification and not cyclonedx-python.

References from original issue:

• https://cyclonedx.org/docs/1.2/#type_metadata

Notes from @stevespringett:

• authors is intended for human creators of the SBOM. This tool produces them through automation, so I'd recommend having support for the metadata\component and metadata\tools\tool

Notes from @sbs2001:

• For metadata\component, we could borrow the code at https://github.com/nexB/scancode-toolkit/blob/839964c205fa76562ec3c24c667183b3d0bb9f5a/src/packagedcode/pypi.py#L302 as a start ?

💯 note for mysel: see of 1.3 serializers ommit this

Originally posted by @jkowalleck in #108 (comment)

We currently don't support pipenv's Pipfile.lock. This feature should add support for this.

Raised as root cause of CycloneDX/cyclonedx-python#235.

might require CycloneDX/specification#106

the current json result follows an existing schema, described in https://github.com/CycloneDX/specification/tree/master/schema

feature request: add the used schema as a property $schema of the resulting json.
the value must be the $id of the schema used.

example:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.3.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "acme-library",
      "version": "1.0.0"
    }
  ]
}

as a developer i want all imports sorted, so i read and maintain them easily

proposal:

• have isort as a tool available in poetry-dev-env
• have isort configured -- see below
• have flake8 plugin flake8-isort` installed and setup in poetry-dev-env
• have isort applied to all python files (once)
• have the use of isort mentioned i the CONTRIBUTING docs

proposed isort config file .isort.cfg:

[isort]
## read the docs: https://github.com/timothycrosley/isort/wiki/isort-Settings
known_first_party = cyclonedx
skip_glob =
    build,dist,__pycache__,.eggs,*_cache
    .git,.tox,.venv,venv
    _OLD,_TEST,
    docs
combine_as_imports = true
default_section = THIRDPARTY
include_trailing_comma = true
line_length = 120
multi_line_output = 5

Created from:

• #138 (comment)
• #138 (comment)

It's commonplace in the Python ecosystem for a given package version to be available in both whl and tar.gz formats (and possibly others.

When we define a Component in a CycloneDX schema, this Component can include a list of hashes that provide an integrity to the definition. This is complicated in the Python eco-system as we do not know? which format/download has been used.

For example, in a Pipfile.lock for toml==0.10.2 you will see two hashes which correlate to both the whl and tar.gz formats:

"hashes": [
    "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b",
    "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"
],

Including both hashes may be the correct answer, but I'm seeking clarification from the @CycloneDX/core-team prior to implementation.

The Component class' __hash__ implementation attempts to hash an unhashable list of Property objects if present. This prevents Component objects from being compared, which in turn prevents one from adding Component objects to Bom objects via Bom's add_component method.

Example:

from cyclonedx.model.component import Component
from cyclonedx.model import Property
component1 = Component("component 1", properties=[Property("prop 1", "value 1")])
component2 = Component("component 2")
component1 == component2

Results in

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/lib/python3.8/site-packages/cyclonedx/model/component.py", line 508, in __eq__
    return hash(other) == hash(self)
  File "/lib/python3.8/site-packages/cyclonedx/model/component.py", line 512, in __hash__
    return hash((
TypeError: unhashable type: 'list'

Library version: 1.3.0
OS: CentOS 8

I received the following error while attempting to upgrade to the latest version of setuptools: cyclonedx-python-lib 0.11.1 requires setuptools<51.0.0,>=50.3.2, but you have setuptools 59.6.0 which is incompatible.

Running pip install setuptools==50.3.2 was my work-around for this problem

JSF is/has been incorporated into the core spec for Version 1.4 (JSON). This feature will delivery JSF support.

This feature was bumped from the initial release (#108).

Raised in response to CycloneDX/cyclonedx-python#244.

It will only be possible to obtain licensing for packages installed in a Python environment.

License information is not available in:

• requirements.txt files
• Pipfile.lock files
• poetry.lock files

Example BOM generation:

bom = Bom(components=[
        Component(
            name='toml', version='0.10.2', bom_ref='pkg:pypi/[email protected]?extension=tar.gz',
            purl=PackageURL(
                type='pypi', name='toml', version='0.10.2', qualifiers='extension=tar.gz'
            ), hashes=[
                HashType.from_composite_str('sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b')
            ], external_references=[
                get_external_reference_1()
            ]
        )
    ])

Generates

...
<externalReferences>
                <reference type="distribution">
                    <url>https://cyclonedx.org</url>
                    <comment>No comment</comment>
                    <hashes>
                        <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
                    </hashes>
                </reference>
            </externalReferences>
...

.externalReferences.hashes is not part of the schema prior to version 1.3.

Hi there!

I'm trying to emit a CycloneDX SBOM in pypa/pip-audit#109, including vulnerability information via the Vulnerability model. Everything works swimmingly when I serialize to XML:

<?xml version="1.0" encoding="UTF-8"?>
<bom serialNumber="urn:uuid:5f03d520-4ca9-4025-8781-b0711cc98cda" version="1" xmlns="http://cyclonedx.org/schema/bom/1.3" xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0">
  <metadata>
    <timestamp>2021-11-09T18:46:43.718858+00:00</timestamp>
    <tools>
      <tool>
        <vendor>CycloneDX</vendor>
        <name>cyclonedx-python-lib</name>
        <version>0.10.0</version>
      </tool>
    </tools>
  </metadata>
  <components>
    <component bom-ref="pkg:pypi/[email protected]" type="library">
      <name>docker-py</name>
      <version>1.2.3</version>
      <purl>pkg:pypi/[email protected]</purl>
    </component>
    <component bom-ref="pkg:pypi/[email protected]" type="library">
      <name>certifi</name>
      <version>2021.10.8</version>
      <purl>pkg:pypi/[email protected]</purl>
    </component>
    <component bom-ref="pkg:pypi/[email protected]" type="library">
      <name>charset-normalizer</name>
      <version>2.0.7</version>
      <purl>pkg:pypi/[email protected]</purl>
    </component>
    <component bom-ref="pkg:pypi/[email protected]" type="library">
      <name>idna</name>
      <version>3.3</version>
      <purl>pkg:pypi/[email protected]</purl>
    </component>
    <component bom-ref="pkg:pypi/[email protected]" type="library">
      <name>pip</name>
      <version>21.3.1</version>
      <purl>pkg:pypi/[email protected]</purl>
    </component>
    <component bom-ref="pkg:pypi/[email protected]" type="library">
      <name>requests</name>
      <version>2.26.0</version>
      <purl>pkg:pypi/[email protected]</purl>
    </component>
    <component bom-ref="pkg:pypi/[email protected]" type="library">
      <name>setuptools</name>
      <version>40.6.2</version>
      <purl>pkg:pypi/[email protected]</purl>
    </component>
    <component bom-ref="pkg:pypi/[email protected]" type="library">
      <name>six</name>
      <version>1.16.0</version>
      <purl>pkg:pypi/[email protected]</purl>
    </component>
    <component bom-ref="pkg:pypi/[email protected]" type="library">
      <name>urllib3</name>
      <version>1.26.7</version>
      <purl>pkg:pypi/[email protected]</purl>
    </component>
    <component bom-ref="pkg:pypi/[email protected]" type="library">
      <name>pyyaml</name>
      <version>5.3</version>
      <purl>pkg:pypi/[email protected]</purl>
      <v:vulnerabilities>
        <v:vulnerability ref="pkg:pypi/[email protected]">
          <v:id>PYSEC-2020-96</v:id>
          <v:description>A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.</v:description>
          <v:recommendations>
            <v:recommendation>Upgrade</v:recommendation>
          </v:recommendations>
          <v:advisories>
            <v:advisory>Upgrade: 5.3.1</v:advisory>
          </v:advisories>
        </v:vulnerability>
        <v:vulnerability ref="pkg:pypi/[email protected]">
          <v:id>PYSEC-2021-142</v:id>
          <v:description>A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.</v:description>
          <v:recommendations>
            <v:recommendation>Upgrade</v:recommendation>
          </v:recommendations>
          <v:advisories>
            <v:advisory>Upgrade: 5.4</v:advisory>
          </v:advisories>
        </v:vulnerability>
      </v:vulnerabilities>
    </component>
  </components>
</bom>

...but when I serialize to JSON, I don't see the Vulnerability models:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:f944e708-ff5f-4ce1-bd4f-c8c4ab73fee1",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "docker-py",
      "version": "1.2.3",
      "purl": "pkg:pypi/[email protected]"
    },
    {
      "type": "library",
      "name": "certifi",
      "version": "2021.10.8",
      "purl": "pkg:pypi/[email protected]"
    },
    {
      "type": "library",
      "name": "charset-normalizer",
      "version": "2.0.7",
      "purl": "pkg:pypi/[email protected]"
    },
    {
      "type": "library",
      "name": "idna",
      "version": "3.3",
      "purl": "pkg:pypi/[email protected]"
    },
    {
      "type": "library",
      "name": "pip",
      "version": "21.3.1",
      "purl": "pkg:pypi/[email protected]"
    },
    {
      "type": "library",
      "name": "requests",
      "version": "2.26.0",
      "purl": "pkg:pypi/[email protected]"
    },
    {
      "type": "library",
      "name": "setuptools",
      "version": "40.6.2",
      "purl": "pkg:pypi/[email protected]"
    },
    {
      "type": "library",
      "name": "six",
      "version": "1.16.0",
      "purl": "pkg:pypi/[email protected]"
    },
    {
      "type": "library",
      "name": "urllib3",
      "version": "1.26.7",
      "purl": "pkg:pypi/[email protected]"
    },
    {
      "type": "library",
      "name": "pyyaml",
      "version": "5.3",
      "purl": "pkg:pypi/[email protected]"
    }
  ],
  "metadata": {
    "timestamp": "2021-11-09T18:54:54.216112+00:00",
    "tools": [
      {
        "vendor": "CycloneDX",
        "name": "cyclonedx-python-lib",
        "version": "0.10.0"
      }
    ]
  }
}

Is this intentional? I would have expected it to be present in both formats, and the examples on cyclonedx.org seem to imply that the JSON format should also include vulnerability information.

Creating issue to track adoption of the forthcoming version 1.4 schema specification for CycloneDX.

Preview work can be seen here, but this IS NOT FINAL.

Current estimates are that version 1.4 will be finalised late 2021, early 2022.

Example code to produce BOM:

bom = Bom(
        components=[Component(
            name='setuptools', version='50.3.2', bom_ref='pkg:pypi/[email protected]?extension=tar.gz',
            purl=PackageURL(
                type='pypi', name='setuptools', version='50.3.2', qualifiers='extension=tar.gz'
            ), license_str='MIT License', author='Test Author'
        )]
    )

This attempts to produce XML for the Component as follows:

<component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
            <name>setuptools</name>
            <version>50.3.2</version>
            <licenses>
                <expression>MIT License</expression>
            </licenses>
            <cpe>cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:*</cpe>
            <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
        </component>

.licenses.expression is not permissible in schema version 1.0.

First of all, thanks for this fantastic library!

I'm currently working on using cyclonedx-python-lib to generate SBOMs within pip-audit.

Our codebase is fully typechecked (via MyPy), and it looks like this library is too! But we can't currently consume your type hints, since the cyclonedx package doesn't include a py.typed file per PEP 561.

Is there any objection to including that file, so that downstream users can typecheck their API use? If not, I can go ahead and create a PR -- it should be just a 2 or 3 line change.

Python 3.10 officially released on 09-Nov-2021 - support for this should be included / verified.

some runtime-dependencies are actually dev-dependencies:

• typed-ast
• types-setuptools
• types-tom

acc / cit

• the deps are not installed per default, if this package is installed.

as they might be needed by others in upstream, we still might add them es an extra called "typing"

I tried to add a component description, but it does not end up in the generated XML file.

from cyclonedx.model.component import Component
from cyclonedx.model.bom import Bom
from cyclonedx.output import BaseOutput, get_instance, OutputFormat, SchemaVersion
from cyclonedx.parser import BaseParser

class TrivialParser(BaseParser):

    def __init__(self):
        c = Component(name='foo',
                      version='1.0.0',
                      description='My description',
                      author='My Author')
        self._components.append(c)


parser = TrivialParser()
bom = Bom.from_parser(parser)
inst = get_instance(
    bom=bom,
    output_format=OutputFormat['XML'],
    schema_version=SchemaVersion['V{}'.format(
        str(1.4).replace('.', '_')
    )]
)
inst.output_to_file('bom.xml')

The output does not contain the description content.

I would expect the XML output to contain the description text, as specified in the schema
(https://cyclonedx.org/docs/1.4/xml/#type_component)

Is this just an usage error or missing functionality?

Example from cyclonedx-python:

py3.7 run-test: commands[2] | poetry run coverage run --source=cyclonedx_py -m unittest discover -s tests
Traceback (most recent call last):
  File "C:\hostedtoolcache\windows\Python\3.7.9\x64\lib\runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "C:\hostedtoolcache\windows\Python\3.7.9\x64\lib\runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "D:\a\cyclonedx-python\cyclonedx-python\.tox\py3.7\Scripts\cyclonedx-py.exe\__main__.py", line 7, in <module>
  File "D:\a\cyclonedx-python\cyclonedx-python\.tox\py3.7\lib\site-packages\cyclonedx_py\client.py", line 211, in main
    CycloneDxCmd(args).execute()
  File "D:\a\cyclonedx-python\cyclonedx-python\.tox\py3.7\lib\site-packages\cyclonedx_py\client.py", line 97, in execute
    output.output_to_file(filename=output_filename, allow_overwrite=self._arguments.output_file_overwrite)
  File "D:\a\cyclonedx-python\cyclonedx-python\.tox\py3.7\lib\site-packages\cyclonedx\output\__init__.py", line 73, in output_to_file
    f_out.write(self.output_as_string())
  File "C:\hostedtoolcache\windows\Python\3.7.9\x64\lib\encodings\cp1252.py", line 19, in encode
    return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode character '\u0141' in position 1805: character maps to <undefined>