HISTORY.md

Changelog

All notable changes to this project will be documented in this file.

unreleased

3.4.2 - 2024-10-24

• Fixed
  • Encode quotation mark in URLs (via #477)

3.4.1 - 2024-08-31

• Docs
  • Fixed typos in DocBlocks (via #466)
• Style
  • Applied latest PHP Coding Standards (via #465)
• Misc
  • Fetched latest schema definition files for offline usage (via #467)

3.4.0 - 2024-05-06

• Changed
  • Updated SPDX license list to v3.24.0 (via #439)

3.3.1 - 2024-05-06

• Fixed
  • JSON validator allow arbitrary $schema value (#435 via #436)

3.3.0 - 2024-04-26

• Changed
  • Classes \CycloneDX\Core\Serialization\{DOM,JSON}\Normalizers\LicenseNormalizer support license acknowledgement now (#428 via #429)
• Added
  • Namespace \CycloneDX\Core\Enums
    • New enum: LicenseAcknowledgement (#428 via #429)
  • Namespace \CycloneDX\Core\Models\License
    • New methods LicenseExpression::{get,set}Acknowledgement() (#428 via #429)
    • New methods NamedLicense::{get,set}Acknowledgement() (#428 via #429)
    • New methods SpdxLicense::{get,set}Acknowledgement() (#428 via #429)

3.2.0 - 2024-04-10

Added basic support for CycloneDX Specification-1.6.

• Changed
  • Method \CycloneDX\Core\Spec\SpecFactory::makeForVersion() supports CycloneDX Specification-1.6 now (#421 via #422)
  • Classes \CycloneDX\Core\Serialization\{DOM,JSON}\Normalizers\* support CycloneDX Specification-1.6 now (#421 via #422)
  • Classes \CycloneDX\Core\Validation\Validators\* support CycloneDX Specification-1.6 now (#421 via #422)
• Added
  • Namespace \CycloneDX\Core\Enums
    • Enum ComponentType got new cases (#421 via #422)
      New: CryptographicAsset
  • Enum ExternalReferenceType got new cases (#421 via #422)
    New: SourceDistribution, ElectronicSignature, DigitalSignature, RFC9116
  • Namespace \CycloneDX\Core\Spec
    • New method SpecFactory::make1dot6() to reflect CycloneDX Specification-1.6 (#421 via #422)
    • Enum Version got new case v1dot6 to reflect CycloneDX Specification-1.6 (#421 via #422)
• Style
  • Applied latest PHP Coding Standards (via #415)

3.1.2 - 2024-03-18

• Documentation
  • Rendered (API) docs are hosted on readthedocs (#8 via #414)

3.1.1 - 2024-02-05

• Style
  • Applied latest PHP Coding Standards (via #395, #398, #399, #402)

3.1.0 - 2023-12-02

• Added
  • Migration/fixup of URL(iri-reference) when normalizing to JSON (via #380)

3.0.2 - 2023-11-27

• Misc
  • Officially support PHP 8.3 (via #265)
  • Integration tests compare against human-readable snapshots, for regression (via #371, #372)

3.0.1 - 2023-09-16

• Fixed
  • fixed a possible JSON schema validation issue regarding "version" property (via #352)

3.0.0 - 2023-08-27

• BREAKING
  • Interface \CycloneDX\Core\Spec\Spec was removed from public API (#344 via #345)
    This is only a breaking change if you custom-implemented this interface downstream; internal usage is non-breaking.
    This change was necessary, so that implementing more spec-features cause no breaking changes.
• Style
  • Applied latest PHP Coding Standards (via #341)

2.3.0 - 2023-06-27

Added support for CycloneDX Specification-1.5.

• Changed
  • Method \CycloneDX\Core\Spec\SpecFactory::makeForVersion() supports CycloneDX Specification-1.5 now (#193 via #255)
  • Classes \CycloneDX\Core\Serialization\{DOM,JSON}\Normalizers\* support CycloneDX Specification-1.5 now (#193 via #255)
  • Classes \CycloneDX\Core\Validation\Validators\* support CycloneDX Specification-1.5 now (#193 via #255)
• Added
  • Namespace \CycloneDX\Core\Enums
    • Enum ComponentType got new cases (#193 via #255)
      New: Data, DeviceDriver, MachineLearningModel, Platform
    • Enum ExternalReferenceType got new cases (#193 via #255)
      New: AdversaryModel, Attestation, CertificationReport, CodifiedInfrastructure, ComponentAnalysisReport, Configuration, DistributionIntake, DynamicAnalysisReport, Evidence, ExploitabilityStatement, Formulation, Log, MaturityReport, ModelCard, POAM, PentestReport, QualityMetrics, RiskAssessment, RuntimeAnalysisReport, SecurityContact, StaticAnalysisReport, ThreatModel, VulnerabilityAssertion
  • Namespace \CycloneDX\Core\Spec
    • New method SpecFactory::make1dot5() to reflect CycloneDX Specification-1.5 (#193 via #255)
    • Enum Version got new case v1dot5 to reflect CycloneDX Specification-1.5 (#193 via #255)
• Misc
  • Added functional and integration tests for CycloneDX Specification-1.5 (#193 via #255)
  • Fetched latest stable schema definition files for offline usage (via #255)

2.2.0 - 2023-06-02

• Changed
  • Class \CycloneDX\Core\Serialization\JsonSerializer
    • Property normalizerFactory became protected readonly, was private readonly (#305 via #306)
    • Property jsonEncodeFlags became protected readonly, was private readonly (#305 via #306)
  • Class \CycloneDX\Core\Serialization\XmlSerializer
    • Property normalizerFactory became protected readonly, was private readonly (#305 via #306)
    • Property xmlVersion became protected readonly, was private readonly (#305 via #306)
    • Property xmlEncoding became protected readonly, was private readonly (#305 via #306)
• Style
  • Applied latest PHP Coding Standards (via #302)
    Some parameters allow nullables implicitly, was explicitly.
  • Wrote some class properties with constructor promotion (via #309)

2.1.2 - 2023-04-05

• Fixed
  • \CycloneDX\Core\Serialization\{DOM,JSON}\Normalizers\LicenseRepositoryNormalizer::normalize() now omits invalid license combinations (#285 via #290)
    If there is any LicenseExpression, then this is the only license normalized; otherwise all licenses are normalized.
• Docs
  • Fixed link to CycloneDX-specification in README (via #288)

2.1.1 - 2023-03-28

• Docs
  • Announce and annotate the generator for BOM's SerialNumber (#277 via #282)

2.1.0 - 2023-03-24

• Fixed
  • "Bom.serialNumber" data model can have values following the alternative format allowed in CycloneDX XML specification (#277 via #278)
  • \CycloneDX\Core\Serialization\{DOM,JSON}\Normalizers\BomNormalizer::normalize() now omits invalid/unsupported values for serialNumber (#277 via #278)
• Changed
  • \CycloneDX\Core\Models\Bom::setSerialNumber() no longer throws \DomainException when the value is of an unsupported format (#277 via #278)
    This is considered a non-breaking behaviour change, because the corresponding normalizers assure valid data results.
• Added
  • Published generator for BOM's SerialNumber: \CycloneDX\Core\Utils\BomUtility::randomSerialNumber() (#277 via #278)
    The code was donated from cyclonedx-php-composer.

2.0.0 - 2023-03-20

• BREAKING
  • Removed support for PHP v7.3 (#6 via #125)
  • Removed support for PHP v7.4 (#114 via #125)
  • Removed support for PHP v8.0 (via #204)
  • Changed models' aggregation properties to be no longer optional (#66 via #131)
  • Changed models to be less restrictive (#247 via #249)
  • Streamlined repository data structures to follow a common method naming scheme (via #131)
  • Enumeration-like classes were converted to native PHP Enumerations (#140, #256 via #204, #257)
• Added
  • Support for CycloneDX schema/spec v1.4 (#57 via #65, #118, #123)
  • Support for properties (#228 via #165, #229, #231)
• Misc
  • All class properties now enforce the correct types (#6, #114 via #125)
    This is considered a non-breaking change, because the types were already correctly annotated.
  • Migrated internals to PHP8 language features (#114 via #125)

API changes v2 - the details

• Overall
  • BREAKING: enforced the use of concrete UnionTypes instead of protocols/interfaces/abstracts (#114 via #125)
    Affected the usages of no longer public \CycloneDX\Core\Models\License\AbstractDisjunctiveLicense and methods that used license-related classes. This was possible due to PHP8's UnionType language feature.
  • Changed some methods to no longer throw \InvalidArgumentException (via #125)
    PhpDoc annotations were updated, so that code analysis tools should pick up. This was possible by enforcing correct typing on PHP8 language level.
  • BREAKING: every occurrence of {M,m}etaData with a capital "D" was renamed to {M,m}etadata with a small "d" (#133 via #131, #149)
    This affects class names, method names, variable names, property names, file names, documentation - everything.
• \CycloneDX\Core\Collections namespace
  • Added new class CopyrightRepository (#238 via #241)
  • Added new class PropertyRepository (#228 via #165)
• \CycloneDX\Core\Enum namespace
  • Classification class
    • BREAKING: renamed class to ComponentType (via #170)
    • BREAKING: became a native PHP Enumeration type (#140 via #204)
    • BREAKING: all const converted to case with UpperCamelCase naming scheme (#256 via #257)
    • BREAKING: method isValidValue() was removed (via #204)
  • ExternalReferenceType class
    • BREAKING: became a native PHP Enumeration type (#140 via #204)
    • BREAKING: all const converted to case with UpperCamelCase naming scheme (#256 via #257)
    • BREAKING: method isValidValue() was removed (via #204)
    • Added case RELEASE_NOTES to reflect CycloneDX v1.4 (#57 via #65)
  • HashAlgorithm class
    • BREAKING: became a native PHP Enumeration type (#140 via #204)
    • BREAKING: all const converted to case with UpperCamelCase naming scheme (#256 via #257)
    • BREAKING: method isValidValue() was removed (via #204)
• CycloneDX\Core\Factories namespace
  • LicenseFactory class
    • BREAKING: check whether something is a valid SPDX Expression is now complete, was best effort implementation (#247 via #249)
      This affects all methods that potentially would create LicenseExpression models.
      Utilizes composer/spdx-licenses.
    • BREAKING: changed constructor method __construct() (via #249)
    • BREAKING: removed method makeDisjunctiveFromExpression() (#163 vial #166)
    • BREAKING: removed method setSpdxLicenseValidator() (via #249)
    • BREAKING: renamed method getSpdxLicenseValidator() -> getLicenseIdentifiers() (via #249)
    • BREAKING: renamed method makeDisjunctiveWithId() -> makeSpdxLicense() (#164 vial #168)
    • BREAKING: renamed method makeDisjunctiveWithName() -> makeNamedLicense() (#164 vial #168)
    • Added new method getSpdxLicenses() (via #249)
• \CycloneDX\Core\Models namespace
  • Bom class
    • BREAKING: changed constructor to no longer accept components (#187 via #188)
    • BREAKING: renamed methods {get,set}ComponentRepository() -> {get,set}Components() (#133 via #131)
    • BREAKING: renamed methods {get,set}ExternalReferenceRepository() -> {get,set}ExternalReferences() (#133 via #131)
      Also changed parameter & return type to non-nullable, was nullable (#66 via #131)
    • BREAKING: renamed methods {get,set}MetaData() -> {get,set}Metadata() (#133 via #131)
      Also changed parameter & return type to non-nullable, was nullable (#66 via #131)
    • Added new methods {get,set}Properties() (#228 via #229)
    • Added new methods {get,set}SerialNumber() (via #186)
  • Component class
    • BREAKING: renamed methods {get,set}DependenciesBomRefRepository() -> {get,set}Dependencies() (#133 via #131)
      Also changed parameter & return type to non-nullable, was nullable (#66 via #131)
    • BREAKING: renamed methods {get,set}ExternalReferenceRepository() -> {get,set}ExternalReferences() (#133 via #131)
      Also changed parameter & return type to non-nullable, was nullable (#66 via #131)
    • BREAKING: renamed methods {get,set}HashRepository() -> {get,set}Hashes() (#133 via #131)
      Also changed parameter & return type to non-nullable, was nullable (#66 via #131)
    • BREAKING: renamed methods {get,set}License() -> {get,set}Licenses() (via #131)
      Also changed it work with class LicenseRepository only, was working with various Models\License\* types (#66 via #131)
    • BREAKING: changed class property version to be optional, to reflect CycloneDX v1.4 (#27 via #118, #131)
      This affects constructor arguments, and affects methods {get,set}Version().
    • BREAKING: changed property type to be of type \CycloneDX\Core\Enum\ComponentType (#140 via #204)
      This affects constructor arguments, and affects methods {get,set}Type().
    • Added new methods {get,set}Author() ([#184] via #185)
    • Added new methods {get,set}Copyright() (#238 via #239)
    • Added new methods {get,set}Evidence() (#238 via #241)
    • Added new methods {get,set}Properties() (#228 via #165)
  • Added new class ComponentEvidence (#238 via #241)
  • ExternalReference class
    • BREAKING: renamed methods {get,set}HashRepository() -> {get,set}Hashes() (#133 via #131)
      Also changed parameter & return type to non-nullable, was nullable (#66 via #131)
    • BREAKING: changed property type to be of type \CycloneDX\Core\Enum\ExternalReferenceType (#140 via #204)
      This affects constructor arguments, and affects methods {get,set}Type().
  • Licenses namespace
    • AbstractDisjunctiveLicense
      • BREAKING: removed this class (via #125, #131)
    • DisjunctiveLicenseWithName class
      • BREAKING: renamed class to NamedLicense (#164 via #168)
    • DisjunctiveLicenseWithId class
      • BREAKING: renamed class to SpdxLicense (#164 via #168)
      • BREAKING: removed factory method makeValidated() (#247 via #249) To assert valid values use \CycloneDX\Core\Factories\LicenseFactory::makeSpdxLicense().
      • Changed: constructor __construct() is public now, was private (#247 via #249)
      • Added new method setId() (#247 via #249)
    • LicenseExpression class
      • BREAKING: constructor __construct() and method setExpression() no longer do validation, but only assert that the parameter is no empty string (#247 ia #249)
        To assert valid values use \CycloneDX\Core\Factories\LicenseFactory::makeExpression().
      • BREAKING: removed method isValid() (#247 via #249)
  • MetaData class
    • BREAKING: renamed class to Metadata (#133 via #131)
      Even though PHP is case-insensitive with class names, autoloaders may be case-sensitive. Therefore, this is considered a breaking change.
    • BREAKING: changed methods {get,set}Tools() so that their parameter & return type is non-nullable, was nullable (#66 via #131)
    • Added new methods {get,set}Properties() (#228 via #165)
    • Added new methods {get,set}Timestamp() (via #180, #181)
  • Added new class Property (#228 via #165)
  • Tool class
    • BREAKING: renamed methods {get,set}ExternalReferenceRepository() -> {get,set}ExternalReferences() (#133 via #131)
      Also changed parameter & return type to non-nullable, was nullable (#66 via #131)
    • BREAKING: renamed methods {get,set}HashRepository() -> {get,set}Hashes() (#133 via #131)
      Also changed parameter & return type to non-nullable, was nullable (#66 via #131)
• \CycloneDX\Core\Repositories namespace
  • Overall:
    • BREAKING: renamed the namespace to \CycloneDX\Core\Collections (#133 via #131)
    • BREAKING: streamlined all classes, renamed all getters to getItems() and all setters to setItems() (#133 via #131)
      In addition, the method arguments were renamed to generic $items.
  • DisjunctiveLicenseRepository class
    • BREAKING: renamed the class to \CycloneDX\Core\Collections\LicenseRepository (via #131)
    • BREAKING: added the capability to also aggregate instances of class Models\LicenseExpression (via #131)
      Therefore, various getters and setters and the constructor changed their signatures, was usage of \CycloneDX\Core\Models\License\AbstractDisjunctiveLicense only.
  • HashRepository class
    • BREAKING: renamed to \CycloneDX\Core\Collections\HashDictionary (#133 via #131)
    • BREAKING: renamed all methods and changed all method signatures to match the overall streamlined scheme (#133 via #131)
    • BREAKING: changed all method signatures to enable handling of native PHP Enumeration type \CycloneDX\Core\Enum\HashAlgorithm (#140 via #204)
• \CycloneDX\Core\Serialize namespace
  • Overall
    • BREAKING: renamed namespace to Serialization (#5 via #146)
  • SerializerInterface interface
    • BREAKING: renamed to Serializer (#133 via #155)
    • BREAKING: method serialize() got a new optional parameter $prettyPrint (via #155)
    • BREAKING: method serialize() may throw \Throwable, was \Exception (via #253)
  • BaseSerializer abstract class
    • BREAKING: complete redesign (via #155)
  • {Json,Xml}Serializer class
    • BREAKING: complete redesign (via #155)
  • {DOM,JSON}\NormalizerFactory classes
    • BREAKING: removed method makeForLicenseExpression() (via #131)
    • BREAKING: removed method makeForDisjunctiveLicense() (via #131)
    • BREAKING: removed method makeForDisjunctiveLicenseRepository() (via #131)
    • BREAKING: removed method makeForHashRepositonary() - use makeForHashDictionary() instead (#133 via #131)
    • BREAKING: removed method setSpec() (via #131)
    • Added new method makeForComponentEvidence() (#238 via #241)
    • Added new method makeForHashDictionary() (#133 via #131)
    • Added new method makeForLicense() (via #131)
    • Added new method makeForLicenseRepository() (via #131)
  • {DOM,JSON}\Normalizers namespaces
    • BREAKING: removed classes DisjunctiveLicenseNormalizer - use LicenseNormalizer instead (via #131)
    • BREAKING: removed classes LicenseExpressionNormalizer - use LicenseNormalizer instead (via #131)
    • BREAKING: removed classes DisjunctiveLicenseRepositoryNormalizer (via #131)
    • BREAKING: renamed classes HashRepositoryNormalizer -> HashDictionaryNormalizer (#133 via #131)
      Also changed signatures to accept Models\HashDictionary instead of Models\HashRepository
    • BREAKING: changed signatures of class HashNormalizer to accept native PHP Enumeration type \CycloneDX\Core\Enum\HashAlgorithm (#140 via #204)
    • Added new classes ComponentEvidenceNormalizer that can normalize ComponentEvidence (#238 via #241)
    • Added new classes LicenseNormalizer that can normalize every existing license model (via #131)
    • Added new classes LicenseRepositoryNormalizer that can normalize LicenseRepository (via #131)
    • ExternalReferenceNormalizer classes
      • Changed the method normalize() to actually throw \DomainException when \ExternalReference's type was not supported by the spec (via #65)
        This is considered a non-breaking change, because the behaviour was already documented in the API, even though there was no need for an implementation before.
    • ExternalReferenceNormalizer classes
      • Changed, so that it tries to convert unsupported types to "other", before it throws a \DomainException (#137 via #147)
  • JSON\Normalizers\BomNormalizer class
    • Changed: method normalize()'s result data may contain the $schema string (via #155)
  • JSON\Normalizers\ExternalReferenceNormalizer class
    • BREAKING: method normalize() may throw \UnexpectedValueException when the url is invalid to format "ini-reference" (via #151)
• \CycloneDX\Core\Spdx namespace
  • BREAKING: renamed the class License -> LicenseIdentifiers (#133 via #143, #249)
  • BREAKING: renamed method getLicense() -> fixLicense() (via #249)
  • BREAKING: renamed method getLicenses() -> getKnownLicenses(), and removed keys from return value (via #249)
  • BREAKING: renamed method validate() -> isKnownLicense() (via #249)
• \CycloneDX\Core\Spec namespace
  • BREAKING: completely reworked everything (#139 via #142, #174, #204)
    See the code base for references
• \CycloneDX\Core\Validation namespace
  • BaseValidator class
    • BREAKING: removed deprecated method setSpec() (via #144)
  • ValidatorInterface interface
    • BREAKING: renamed interface to Validator (#133 via #143)
    • Removed specification of constructor __construct() (via #253)
    • Removed specification of method getSpec() (via #253)
  • Validators\{Json,JsonStrict,Xml}Validator classes
    • Added support for CycloneDX v1.4 (#57 via #65)
  • Validators\{Json,JsonStrict}Validator classes
    • Utilizes a much more competent validation library than before (#80 via #151)

1.6.3 - 2022-09-15

Maintenance Release.

• Legal:
  • Transferred copyright to OWASP Foundation. (via #121)

1.6.2 - 2022-09-12

Maintenance release.

• Docs:
  • Added "Responsibilities", "Capabilities" and "Usage" sections to README. (via #115)

1.6.1 - 2022-08-16

• Maintenance release.

1.6.0 - 2022-08-03

• Changed
  • Use version 9b04a94 of CycloneDX specification for XML and JSON schema validation. (via #105)
  • Use SPDX license enumeration from version 9b04a94 of CycloneDX specification. (via #105)
• Style
  • Fixe some whitespaces. (via #82)

1.5.0 - 2022-03-08

• Changed
  • Use version 82bf9e3 of CycloneDX specification for XML and JSON schema validation. (via #79)
  • Use SPDX license enumeration from version 82bf9e3 of CycloneDX specification. (via #79)

1.4.2 - 2022-02-05

• Fixed
  • Return type of CycloneDX\Core\Serialize\SerializerInterface::serialize() and implementations/usage are documented as non-empty-string, were undocumented string before. (via #70)

1.4.1 - 2022-01-31

• Fixed
  • CycloneDX\Core\Validation\ValidatorInterface::validateString() and implementations are documented as non-empty-string, were undocumented string before. (via #63)

1.4.0 - 2021-12-20

• Added
  • Resulting JSON files hold the correct $schema. (#43 via #42)

1.3.1 - 2021-12-03

• Fixed
  • XML serializer & DOM normalizer no longer generate invalid XML::anyURI. (via #34)

1.3.0 - 2021-12-01

• Changed
  • JSON result does no longer have slashes escaped in strings. (via #33)
    Old: "http:\/\/exampe.com"
    New: "http://exampe.com"

1.2.0 - 2021-11-29

• Added
  • Prevention of information-loss on metadata-component's ExternalReferences, when normalizing to a specification that does not support bom.metadata (via #26)

1.1.0 - 2021-11-25

• Added
  • Support for ExternalReferences in BOM and Component (via #17)

1.0.3 - 2021-11-15

• Fixed
  • CycloneDX\Core\Models\License\AbstractDisjunctiveLicense::setUrl() no longer restricts the argument to be a valid URL.
    Per schema definition licenseType.url should be a URI, not a URL. See #18
• Changed
  • CycloneDX\Core\Models\License\AbstractDisjunctiveLicense::setUrl() no longer throws InvalidArgumentException if the argument is not a URL (via #19)

1.0.2 - 2021-10-30

• Fixed
  • Psalm-annotation of CycloneDX\Core\Enums\Classification::isValidValue() (via #10)

1.0.1 - 2021-10-23

Removed composer's conflict constraint.
This was done to enable some workflows with package forks/mirrors that don't have proper version detection. See #9

1.0.0 - 2021-10-07

Initial release.
Split the library from /src/Core of cyclonedx-php-composer (346e6200fb2f5086061b15c2ee44f540893ce97d)