3.5.0

Changed

The "Core" library was moved to an own package: https://packagist.org/packages/cyclonedx/cyclonedx-library
The new external package/library is a one-to-one copy of the original code from this project, which now is a dependency/required of this project. So usage/leverage of the original code is still possible without any changes for third parties.
See #87 for details.

3.4.1

Fixed

Improved compatibility to composer.

3.4.0

Changed

• Core library
  • Some repository data-types are lists of unique items, so no duplicates are kept.
    Affected classes/data-types :
    • ComponentRepository
    • DisjunctiveLicenseRepository
    • ToolRepository

Added

• CLI via composer make-bom
  • Will try to populate dependencies of the SBoM result.
• Core library
  • Added BomRef model to link bom elements in general.
    Added BomRefRepository data type as a collection of unique BomRef.
  • Added bomRef to Component model to link components as dependencies.
    Added dependencies to Component model.
  • Added ability to serialize dependencies to XML.
  • Added ability to serialize dependencies to JSON.

Misc

• Moved development docs to docs/dev/.
• Refactored the plugin's internals.

3.3.1

Fixed

• CLI via composer make-bom
  • Will ignore "AliasPackages" when generating the SBoM, since their alias-target is part of the SBoM already.

3.3.0

Changed

• Core library
  • SerializersGroups will skip unsupported elements silently, instead of forwarding caught exceptions.
    This results in an overall smoother SBoM generation process, just as intended.

Added

• CLI via composer make-bom
  • Will try to populate metadata of the SBoM result.
• Core library
  • Added models for spec elements: metadata, tools, tool
  • Added ability to serialize metadata to XML.
  • Added ability to serialize metadata to JSON.

Fixed

• CLI via composer make-bom
  • composer packages of type project or composer-plugin
    result as CycloneDX component of type application, was library.

Misc

• Updated demos/examples to reflect current state of SBoM results including metadata.
• Split some tests to more fine-grained scenarios.

3.2.0

Changed

• CLI via composer make-bom
  • All informational/error output will appear on STDERR, was STDOUT.
    Output of the SBoM might still happen on STDOUT.
    This makes utilization of STDOUT via --output-file=- more flexible (pipe, redirect)
    whilst verbosity can be increased via -v.

Added

• CLI via composer make-bom
  • Added an optional argument composer-file.
    If given, then the SBoM is generated based on that file instead of the file in the current working directory.
    This enables the plugin to analyze projects outside the plugin's own setup.

Fixed

• Fixed detection of invalid/outdated composer lock file.
• Fixed a rare case that caused the CLI to crash unexpectedly, if the composer lock file was unexpected.

Misc

• Added composer keywords.
• Refactored the plugin's internals.
• Added more tests for internals.

3.1.1

maintenance release

Misc

• Updated some documentation.
• Bumped some dev-tools.
• Added normalizer for composer.json files.

3.1.0

Feature release

Added

• CLI via composer make-bom
  • Per default the command will validate the resulting SBoM before writing it to file/stdOut.
  • Added a switch --no-validate to disable result validation.
  • When the verbosity is at "debug" level, then detailed debug info will be put out.
    This should help to find validation issues.
• Validation classes/methods to test SBoM
  in XML and JSON format
  for spec 1.1, 1.2, 1.3

3.0.0

Breaking Changes

• Now requires php ^7.3 || ^8.0, was ^7.1 || ^8.0.
• Now requires composer v2 - composer-plugin-api:^2.0, was composer-plugin-api:^1.1||^2.0.
• CLI via composer make-bom
  • Now defaults to the latest supported version of CycloneDX spec: 1.3
    See option --spec-version.
  • Deprecated switch --json was removed.
    Use option --output-format=JSON instead.
• Components' license in SpdxLicenseExpression format are no longer split into disjunctive licenses.
  They are still used properly in the resulting output file.
• Complete rewrite/refactor.
  Expect library classes/methods/functions to be removed, renamed or incompatible to previous versions - see the source for changes.

Added

• CLI
  • Output is less verbose per default. Can be increased via -v, -vv, -vvv.
  • Support for output to STDOUT. Use option --output-file=-.
  • Added an optional option --spec-version for the CycloneDX spec version.
    Supported values: "1.1", "1.2", "1.3".
    Defaults to "1.3".
• Support for JSON output format.
  JSON support was a preview before and became a basic part of the plugin now.

Removed

• This plugin no longer supports php<7.3.
• This plugin no longer supports composer v1.
• CLI
  • Deprecated switch --json was removed.
    Use option --output-format=JSON instead.

Fixed

• Some cases when the JSON SBoM generator created schema-invalid data.

Misc

• Utilize package-url/packageurl-php
  over own implementation.
• Added more tests during the build process.
• Added Psalm & PHP-CS-Fixer to the CI chain and fixed all findings accordingly.
• Added a demo run of the plugin to the CI chain.

2.1.1

Maintenance release.