v0.8.0

This release ships with almost complete support for v1.5 of the CycloneDX specification.

The only exception being the extended data flow support, as used in SaaS BOMs.

Unfortunately, there are also breaking changes in this release:

• The type of Metadata.Tools has changed from *[]Tool to *ToolsChoice, to facilitate the deprecation of Tool in the spec
  • ToolsChoice holds both legacy *[]Tool, as well as the new *[]Component and *[]Service fields
  • The Tool type, as well as the ToolsChoice.Tools field are marked as deprecated
  • During encoding and decoding, it is asserted that only one of both options can be present, in accordance with the "One of" constraint of the spec
  • When encoding to lower spec versions than v1.5 (using EncodeVersion), Components and Services are automatically converted to legacy Tools
  • It is strongly recommended to use Components and Services. However, when consuming BOMs, applications should still expect legacy Tools to be present, and handle them accordingly.

Changelog

Fixes

• 64eb0c8: fix: remove format linters that require extra tooling (@nscuro)

Building and Packaging

• 696aa66: build(deps): bump actions/checkout from 3.5.3 to 4.1.0 (@dependabot[bot])
• b50b319: build(deps): bump actions/checkout from 4.1.0 to 4.1.1 (@dependabot[bot])
• 5cad1b0: build(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (@dependabot[bot])
• b091061: build(deps): bump gitpod/workspace-go from d3603c7 to 94ae638 (@dependabot[bot])
• 9e310b6: build(deps): bump gitpod/workspace-go from f37c673 to d3603c7 (@dependabot[bot])
• 89494fd: build(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 (@dependabot[bot])

Others

• 61dd91e: feat(spec1-5): add support for machine learning (@nscuro)
• f831960: feat(spec1-5): update valid-vulnerability test snapshots (@nscuro)
• ffc9a4e: ci: enable more linters (@mmorel-35)
• 3feda75: feat(spec1-5): add additional external reference types (@nscuro)
• bd66a36: feat(spec1-5): add support for CVSSv4 scoring method (@nscuro)
• d597bb9: feat(spec1-5): add support for firstIssued and lastUpdated in vuln analysis (@nscuro)
• 2ae5445: feat(spec1-5): add support for additional compositions and composition identity (@nscuro)
• f856daa: feat(spec1-5): add support for formulation (@nscuro)
• 2fbde0e: feat(spec1-5): add support for identity, occurrences, and callstack evidence (@nscuro)
• 745a35a: feat(spec1-5): add support for licensing (@nscuro)
• b02255f: feat(spec1-5): add support for lifecycles (@nscuro)
• fe3a904: feat(spec1-5): add support for ssvc scoring method (@nscuro)
• 7d2713f: feat(spec1-5): add support for vulnerability proof of concept (@nscuro)
• 25b250a: feat(spec1-5): add support for vulnerability rejected timestamps (@nscuro)
• c7a84ac: feat(spec1-5): handle deprecation of tools (@nscuro)