From 8bf79509e0ee15efdd9787636575329eb8b12036 Mon Sep 17 00:00:00 2001 From: semantic-release Date: Thu, 18 Apr 2024 17:07:34 +0000 Subject: [PATCH 01/14] chore(release): 4.2.0 Automatically generated by python-semantic-release Signed-off-by: semantic-release Signed-off-by: jxdv --- CHANGELOG.md | 10 ++++++++++ cyclonedx_py/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 50f5062d..65eaf523 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ +## v4.2.0 (2024-04-18) + +### Feature + +* feat: support CycloneDX 1.6 output (#720) + + +Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`639b35a`](https://github.com/CycloneDX/cyclonedx-python/commit/639b35ad7e9aa832a4ad9b489a2391348f97fc15)) + + ## v4.1.6 (2024-04-15) ### Fix diff --git a/cyclonedx_py/__init__.py b/cyclonedx_py/__init__.py index 442cd8a7..5599b7a7 100644 --- a/cyclonedx_py/__init__.py +++ b/cyclonedx_py/__init__.py @@ -15,7 +15,7 @@ # !! version is managed by `semantic_release` # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "4.1.6" # noqa:Q000 +__version__ = "4.2.0" # noqa:Q000 # There is no stable/public API. # However, you might call the stable CLI instead, like so: diff --git a/docs/conf.py b/docs/conf.py index c635f9f4..39f15a16 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -22,7 +22,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = "4.1.6" +release = "4.2.0" # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index adff1650..43096bee 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -7,7 +7,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] # keep in sync with `cyclonedx_py/_internal/utils/cdx.py` name = "cyclonedx-bom" -version = "4.1.6" +version = "4.2.0" description = "CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments" authors = [ "Jan Kowalleck ", From 9508cd089575693212a128811111236690b20d15 Mon Sep 17 00:00:00 2001 From: jxdv Date: Thu, 18 Apr 2024 20:37:10 +0200 Subject: [PATCH 02/14] add release-GHCR job Signed-off-by: jxdv --- .github/workflows/release.yml | 78 +++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index acca2238..c60ddeb3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -233,3 +233,81 @@ jobs: docker rmi -f "$DOCKER_REPO:$VERSION" "$DOCKER_REPO:latest" + + release-GHCR: + name: "Release: GHCR" + needs: + - release-PyPI + if: | + !failure() && !cancelled() && + needs.release-PyPI.result == 'success' && + needs.release-PyPI.outputs.released == 'true' && + needs.release-PyPI.outputs.version && + needs.release-PyPI.outputs.tag + runs-on: ubuntu-latest + env: + VERSION: ${{ needs.release-PyPI.outputs.version }} + ARTIFACT_DOCKER_SBOM: 'docker-image-bom' + DOCKER_REPO: cyclonedx/cyclonedx-python + steps: + - name: Checkout code (${{ env.TAG }}) + uses: actions/checkout@v4 + with: + ref: ${{ needs.release-PyPI.outputs.tag }} + - name: setup dirs + run: | + mkdir "$REPORTS_DIR" + mkdir "$DIST_DIR" + - name: Fetch python dist artifact + uses: actions/download-artifact@v3 + with: + name: ${{ env.DIST_ARTIFACT }} + path: ${{ env.DIST_DIR }}/ + - name: Build Docker Image (${{ env.VERSION }}) + run: > + docker build -f Dockerfile + --build-arg "VERSION=$VERSION" + -t "$DOCKER_REPO:$VERSION" + -t "$DOCKER_REPO:latest" + . + - name: Build own SBoM (XML) + run: > + docker run --rm "$DOCKER_REPO:$VERSION" + environment + -vvv + --output-format XML + > "$REPORTS_DIR/$ARTIFACT_DOCKER_SBOM.bom.xml" + - name: Build own SBoM (JSON) + run: > + docker run --rm "$DOCKER_REPO:$VERSION" + environment + -vvv + --output-format JSON + > "$REPORTS_DIR/$ARTIFACT_DOCKER_SBOM.bom.json" + - name: Artifact reports + if: ${{ ! cancelled() }} + uses: actions/upload-artifact@v3 + with: + name: ${{ env.ARTIFACT_DOCKER_SBOM }} + path: ${{ env.REPORTS_DIR }}/*.bom.* + if-no-files-found: error + - name: Docker login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ secrets.GHCR_USERNAME }} + password: ${{ secrets.GHCR_TOKEN }} + - name: Publish Docker Image for version "${{ env.VERSION }}" to GHCR + run: docker push "$DOCKER_REPO:$VERSION" + - name: Publish Docker Image as "latest" to GHCR + if: ${{ github.event.inputs.prerelease == 'false' }} + run: docker push "$DOCKER_REPO:latest" + - name: Docker logout from GHCR + if: ${{ always() }} + run: docker logout ghcr.io + - name: Destroy Docker image + if: ${{ always() }} + run: > + docker rmi -f + "$DOCKER_REPO:$VERSION" + "$DOCKER_REPO:latest" \ No newline at end of file From 2e9d2fcd57baf1a539a286caa53b7ccdec2fbf6e Mon Sep 17 00:00:00 2001 From: jxdv Date: Fri, 19 Apr 2024 18:00:32 +0200 Subject: [PATCH 03/14] remove redundant job & fix typo Signed-off-by: jxdv --- .github/workflows/release.yml | 80 +---------------------------------- 1 file changed, 1 insertion(+), 79 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c60ddeb3..5285bdb4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,7 +35,7 @@ on: concurrency: group: release - cancel-in-progress: false # prevent hickups with semantic-release + cancel-in-progress: false # prevent hiccups with semantic-release env: REPORTS_DIR: CI_reports @@ -233,81 +233,3 @@ jobs: docker rmi -f "$DOCKER_REPO:$VERSION" "$DOCKER_REPO:latest" - - release-GHCR: - name: "Release: GHCR" - needs: - - release-PyPI - if: | - !failure() && !cancelled() && - needs.release-PyPI.result == 'success' && - needs.release-PyPI.outputs.released == 'true' && - needs.release-PyPI.outputs.version && - needs.release-PyPI.outputs.tag - runs-on: ubuntu-latest - env: - VERSION: ${{ needs.release-PyPI.outputs.version }} - ARTIFACT_DOCKER_SBOM: 'docker-image-bom' - DOCKER_REPO: cyclonedx/cyclonedx-python - steps: - - name: Checkout code (${{ env.TAG }}) - uses: actions/checkout@v4 - with: - ref: ${{ needs.release-PyPI.outputs.tag }} - - name: setup dirs - run: | - mkdir "$REPORTS_DIR" - mkdir "$DIST_DIR" - - name: Fetch python dist artifact - uses: actions/download-artifact@v3 - with: - name: ${{ env.DIST_ARTIFACT }} - path: ${{ env.DIST_DIR }}/ - - name: Build Docker Image (${{ env.VERSION }}) - run: > - docker build -f Dockerfile - --build-arg "VERSION=$VERSION" - -t "$DOCKER_REPO:$VERSION" - -t "$DOCKER_REPO:latest" - . - - name: Build own SBoM (XML) - run: > - docker run --rm "$DOCKER_REPO:$VERSION" - environment - -vvv - --output-format XML - > "$REPORTS_DIR/$ARTIFACT_DOCKER_SBOM.bom.xml" - - name: Build own SBoM (JSON) - run: > - docker run --rm "$DOCKER_REPO:$VERSION" - environment - -vvv - --output-format JSON - > "$REPORTS_DIR/$ARTIFACT_DOCKER_SBOM.bom.json" - - name: Artifact reports - if: ${{ ! cancelled() }} - uses: actions/upload-artifact@v3 - with: - name: ${{ env.ARTIFACT_DOCKER_SBOM }} - path: ${{ env.REPORTS_DIR }}/*.bom.* - if-no-files-found: error - - name: Docker login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} - - name: Publish Docker Image for version "${{ env.VERSION }}" to GHCR - run: docker push "$DOCKER_REPO:$VERSION" - - name: Publish Docker Image as "latest" to GHCR - if: ${{ github.event.inputs.prerelease == 'false' }} - run: docker push "$DOCKER_REPO:latest" - - name: Docker logout from GHCR - if: ${{ always() }} - run: docker logout ghcr.io - - name: Destroy Docker image - if: ${{ always() }} - run: > - docker rmi -f - "$DOCKER_REPO:$VERSION" - "$DOCKER_REPO:latest" \ No newline at end of file From 25d24494800feac98f2fbed6af7f8aed94b8c2a1 Mon Sep 17 00:00:00 2001 From: jxdv Date: Fri, 19 Apr 2024 18:18:00 +0200 Subject: [PATCH 04/14] update release-DockerHub job Signed-off-by: jxdv --- .github/workflows/release.yml | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5285bdb4..f2eeccf4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -165,7 +165,8 @@ jobs: env: VERSION: ${{ needs.release-PyPI.outputs.version }} ARTIFACT_DOCKER_SBOM: 'docker-image-bom' - DOCKER_REPO: cyclonedx/cyclonedx-python + DOCKERHUB_REPO: cyclonedx/cyclonedx-python + GHCR_REPO: ${{ github.repository }} steps: - name: Checkout code (${{ env.TAG }}) # see https://github.com/actions/checkout @@ -186,19 +187,21 @@ jobs: run: > docker build -f Dockerfile --build-arg "VERSION=$VERSION" - -t "$DOCKER_REPO:$VERSION" - -t "$DOCKER_REPO:latest" + -t "$DOCKERHUB_REPO:$VERSION" + -t "$DOCKERHUB_REPO:latest" + -t "$GHCR_REPO:$VERSION" + -t "$GHCR_REPO:latest" . - name: Build own SBoM (XML) run: > - docker run --rm "$DOCKER_REPO:$VERSION" + docker run --rm "$DOCKERHUB_REPO:$VERSION" environment -vvv --output-format XML > "$REPORTS_DIR/$ARTIFACT_DOCKER_SBOM.bom.xml" - name: Build own SBoM (JSON) run: > - docker run --rm "$DOCKER_REPO:$VERSION" + docker run --rm "$DOCKERHUB_REPO:$VERSION" environment -vvv --output-format JSON @@ -212,16 +215,27 @@ jobs: path: ${{ env.REPORTS_DIR }}/*.bom.* if-no-files-found: error # publish AFTER the boms were build, as the bom-generation is kind of a test if the image works - - name: Docker login + - name: Login to Docker Hub run: docker login --username "$DOCKERHUB_USERNAME" --password "$DOCKERHUB_TOKEN" env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - name: Publish Docker Image for version "${{ env.VERSION }}" - run: docker push "$DOCKER_REPO:$VERSION" + run: docker push "$DOCKERHUB_REPO:$VERSION" - name: Publish Docker Image as "latest" if: ${{ github.event.inputs.prerelease == 'false' }} - run: docker push "$DOCKER_REPO:latest" + run: docker push "$DOCKERHUB_REPO:latest" + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ secrets.GHCR_USERNAME }} + password: ${{ secrets.GHCR_TOKEN }} + - name: Publish Docker Image to GHCR for version "${{ env.VERSION }}" + run: docker push "$GHCR_REPO:$VERSION" + - name: Publish Docker Image as "latest" + if: ${{ github.event.inputs.prerelease == 'false' }} + run: docker push "$GHCR_REPO:latest" # TODO: publish all files in $REPORTS_DIR as release assets - see https://github.com/actions/upload-release-asset - name: Docker logout if: ${{ always() }} @@ -231,5 +245,5 @@ jobs: if: ${{ always() }} run: > docker rmi -f - "$DOCKER_REPO:$VERSION" - "$DOCKER_REPO:latest" + "$DOCKERHUB_REPO:$VERSION" + "$DOCKERHUB_REPO:latest" From da572deb23921c254282554f9b6c2536559d0260 Mon Sep 17 00:00:00 2001 From: jxdv Date: Sat, 20 Apr 2024 13:26:58 +0200 Subject: [PATCH 05/14] rename job and description Signed-off-by: jxdv --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f2eeccf4..578e2c22 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -151,8 +151,8 @@ jobs: # see https://python-semantic-release.readthedocs.io/en/latest/configuration.html?highlight=remove_dist#remove-dist - release-DockerHub: - name: "Release: DockerHub" + release-docker-image: + name: "Release: DockerHub & GHCR" needs: - release-PyPI if: | From b8b94092ae5f57743dcd33e2ef50768f9295e7ce Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sat, 20 Apr 2024 16:01:40 +0200 Subject: [PATCH 06/14] tidy and docs Signed-off-by: Jan Kowalleck Signed-off-by: jxdv --- .github/workflows/release.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 578e2c22..0ea641af 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -216,16 +216,20 @@ jobs: if-no-files-found: error # publish AFTER the boms were build, as the bom-generation is kind of a test if the image works - name: Login to Docker Hub - run: docker login --username "$DOCKERHUB_USERNAME" --password "$DOCKERHUB_TOKEN" - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} + # see hhttps://github.com/docker/login-action?tab=readme-ov-file#docker-hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Publish Docker Image for version "${{ env.VERSION }}" run: docker push "$DOCKERHUB_REPO:$VERSION" - name: Publish Docker Image as "latest" if: ${{ github.event.inputs.prerelease == 'false' }} run: docker push "$DOCKERHUB_REPO:latest" + # endregion + # region publish to GHCR - name: Login to GHCR + # see https://github.com/docker/login-action#github-container-registry uses: docker/login-action@v3 with: registry: ghcr.io @@ -236,10 +240,8 @@ jobs: - name: Publish Docker Image as "latest" if: ${{ github.event.inputs.prerelease == 'false' }} run: docker push "$GHCR_REPO:latest" + # endregion # TODO: publish all files in $REPORTS_DIR as release assets - see https://github.com/actions/upload-release-asset - - name: Docker logout - if: ${{ always() }} - run: docker logout - name: Destroy Docker image # run regardless of outcome if: ${{ always() }} @@ -247,3 +249,5 @@ jobs: docker rmi -f "$DOCKERHUB_REPO:$VERSION" "$DOCKERHUB_REPO:latest" + "$GHCR_REPO:$VERSION" + "$GHCR_REPO:latest" From d47640b07d131055f70b17378eda41ac94c08932 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sat, 20 Apr 2024 15:43:59 +0200 Subject: [PATCH 07/14] feat: improve declared licenses detection (#722) - Add declared licenses from License Troves if not mapped to SPDX license ID - CycloneDX 1.6 mark licenses as "declared" fixes #718 --------- Signed-off-by: Jan Kowalleck Signed-off-by: jxdv --- .../utils/license_trove_classifier.py | 12 +- cyclonedx_py/_internal/utils/packaging.py | 19 ++- cyclonedx_py/_internal/utils/pep621.py | 27 +++-- cyclonedx_py/_internal/utils/poetry.py | 7 +- pyproject.toml | 2 +- .../plain_editable-self_1.6.json.bin | 1 + .../plain_editable-self_1.6.xml.bin | 2 +- .../environment/plain_local_1.1.xml.bin | 3 + .../environment/plain_local_1.2.json.bin | 5 + .../environment/plain_local_1.2.xml.bin | 3 + .../environment/plain_local_1.3.json.bin | 5 + .../environment/plain_local_1.3.xml.bin | 3 + .../environment/plain_local_1.4.json.bin | 5 + .../environment/plain_local_1.4.xml.bin | 3 + .../environment/plain_local_1.5.json.bin | 5 + .../environment/plain_local_1.5.xml.bin | 3 + .../environment/plain_local_1.6.json.bin | 9 ++ .../environment/plain_local_1.6.xml.bin | 9 +- .../environment/plain_no-deps_1.6.json.bin | 1 + .../environment/plain_no-deps_1.6.xml.bin | 2 +- .../plain_normalize-packagename_1.6.json.bin | 4 + .../plain_normalize-packagename_1.6.xml.bin | 8 +- .../plain_private-packages_1.6.json.bin | 2 + .../plain_private-packages_1.6.xml.bin | 4 +- .../environment/plain_via-pdm_1.6.json.bin | 2 + .../environment/plain_via-pdm_1.6.xml.bin | 4 +- .../environment/plain_via-pipenv_1.6.json.bin | 2 + .../environment/plain_via-pipenv_1.6.xml.bin | 4 +- .../environment/plain_via-poetry_1.6.json.bin | 2 + .../environment/plain_via-poetry_1.6.xml.bin | 4 +- .../environment/plain_with-extras_1.1.xml.bin | 45 +++++++ .../plain_with-extras_1.2.json.bin | 71 +++++++++++ .../environment/plain_with-extras_1.2.xml.bin | 45 +++++++ .../plain_with-extras_1.3.json.bin | 71 +++++++++++ .../environment/plain_with-extras_1.3.xml.bin | 45 +++++++ .../plain_with-extras_1.4.json.bin | 71 +++++++++++ .../environment/plain_with-extras_1.4.xml.bin | 45 +++++++ .../plain_with-extras_1.5.json.bin | 71 +++++++++++ .../environment/plain_with-extras_1.5.xml.bin | 45 +++++++ .../plain_with-extras_1.6.json.bin | 114 ++++++++++++++++++ .../environment/plain_with-extras_1.6.xml.bin | 105 +++++++++++----- .../plain_with-license-file_1.6.json.bin | 1 + .../plain_with-license-file_1.6.xml.bin | 2 +- .../plain_with-license-text_1.1.xml.bin | 3 + .../plain_with-license-text_1.2.json.bin | 5 + .../plain_with-license-text_1.2.xml.bin | 3 + .../plain_with-license-text_1.3.json.bin | 5 + .../plain_with-license-text_1.3.xml.bin | 3 + .../plain_with-license-text_1.4.json.bin | 5 + .../plain_with-license-text_1.4.xml.bin | 3 + .../plain_with-license-text_1.5.json.bin | 5 + .../plain_with-license-text_1.5.xml.bin | 3 + .../plain_with-license-text_1.6.json.bin | 10 ++ .../plain_with-license-text_1.6.xml.bin | 11 +- .../environment/plain_with-urls_1.1.xml.bin | 8 ++ .../environment/plain_with-urls_1.2.json.bin | 12 ++ .../environment/plain_with-urls_1.2.xml.bin | 8 ++ .../environment/plain_with-urls_1.3.json.bin | 12 ++ .../environment/plain_with-urls_1.3.xml.bin | 8 ++ .../environment/plain_with-urls_1.4.json.bin | 12 ++ .../environment/plain_with-urls_1.4.xml.bin | 8 ++ .../environment/plain_with-urls_1.5.json.bin | 12 ++ .../environment/plain_with-urls_1.5.xml.bin | 8 ++ .../environment/plain_with-urls_1.6.json.bin | 17 +++ .../environment/plain_with-urls_1.6.xml.bin | 14 ++- .../pipenv/plain_no-deps_1.6.json.bin | 1 + .../pipenv/plain_no-deps_1.6.xml.bin | 2 +- .../poetry/plain_no-deps_lock20_1.6.json.bin | 1 + .../poetry/plain_no-deps_lock20_1.6.xml.bin | 2 +- .../requirements/file_frozen_1.6.json.bin | 1 + .../requirements/file_frozen_1.6.xml.bin | 2 +- .../requirements/file_local_1.6.json.bin | 1 + .../requirements/file_local_1.6.xml.bin | 2 +- .../requirements/file_nested_1.6.json.bin | 1 + .../requirements/file_nested_1.6.xml.bin | 2 +- .../file_private-packages_1.6.json.bin | 1 + .../file_private-packages_1.6.xml.bin | 2 +- ...egression-issue448.cp1252.txt_1.6.json.bin | 1 + ...regression-issue448.cp1252.txt_1.6.xml.bin | 2 +- .../file_with-comments_1.6.json.bin | 1 + .../file_with-comments_1.6.xml.bin | 2 +- .../file_with-extras_1.6.json.bin | 1 + .../requirements/file_with-extras_1.6.xml.bin | 2 +- .../file_with-hashes_1.6.json.bin | 1 + .../requirements/file_with-hashes_1.6.xml.bin | 2 +- .../requirements/file_with-urls_1.6.json.bin | 1 + .../requirements/file_with-urls_1.6.xml.bin | 2 +- .../file_without-pinned-versions_1.6.json.bin | 1 + .../file_without-pinned-versions_1.6.xml.bin | 2 +- .../index_auth_frozen_1.6.json.bin | 1 + .../index_auth_frozen_1.6.xml.bin | 2 +- 91 files changed, 1017 insertions(+), 90 deletions(-) diff --git a/cyclonedx_py/_internal/utils/license_trove_classifier.py b/cyclonedx_py/_internal/utils/license_trove_classifier.py index 7df04230..f1141d4b 100644 --- a/cyclonedx_py/_internal/utils/license_trove_classifier.py +++ b/cyclonedx_py/_internal/utils/license_trove_classifier.py @@ -21,9 +21,15 @@ All in here may have breaking change without notice. """ - from typing import Optional +__LICENSE_TROVE_PREFIX = 'License :: ' + + +def is_license_trove(classifier: str) -> bool: + return classifier.startswith(__LICENSE_TROVE_PREFIX) + + """ Map of trove classifiers to SPDX license ID or SPDX license expression. @@ -73,6 +79,7 @@ # !! see the ideas and cases of https://peps.python.org/pep-0639/#mapping-license-classifiers-to-spdx-identifiers # 'License :: OSI Approved :: Academic Free License (AFL)': which one? # - AFL-1.1 + # - AFL-... # - AFL-3.0 # 'License :: OSI Approved :: Apache Software License': which one? # - Apache-1.1 @@ -81,6 +88,9 @@ # - APSL-1.0 # - APSL-2.0 # 'License :: OSI Approved :: Artistic License': which version? + # - Artistic-1.0 + # - Artistic-... + # - Artistic-3.0 'License :: OSI Approved :: Attribution Assurance License': 'AAL', # 'License :: OSI Approved :: BSD License': which exactly? 'License :: OSI Approved :: Boost Software License 1.0 (BSL-1.0)': 'BSL-1.0', diff --git a/cyclonedx_py/_internal/utils/packaging.py b/cyclonedx_py/_internal/utils/packaging.py index 97106916..1a93028c 100644 --- a/cyclonedx_py/_internal/utils/packaging.py +++ b/cyclonedx_py/_internal/utils/packaging.py @@ -21,7 +21,7 @@ from cyclonedx.exception.model import InvalidUriException from cyclonedx.factory.license import LicenseFactory from cyclonedx.model import AttachedText, ExternalReference, ExternalReferenceType, XsUri -from cyclonedx.model.license import DisjunctiveLicense +from cyclonedx.model.license import DisjunctiveLicense, LicenseAcknowledgement from .cdx import url_label_to_ert from .pep621 import classifiers2licenses @@ -39,19 +39,26 @@ def metadata2licenses(metadata: 'PackageMetadata') -> Generator['License', None, None]: lfac = LicenseFactory() + lack = LicenseAcknowledgement.DECLARED if 'Classifier' in metadata: - # see https://packaging.python.org/en/latest/specifications/core-metadata/#classifier-multiple-use + # see spec: https://packaging.python.org/en/latest/specifications/core-metadata/#classifier-multiple-use classifiers: List[str] = metadata.get_all('Classifier') # type:ignore[assignment] - yield from classifiers2licenses(classifiers, lfac) - if 'License' in metadata and len(mlicense := metadata['License']) > 0: - # see https://packaging.python.org/en/latest/specifications/core-metadata/#license - license = lfac.make_from_string(mlicense) + yield from classifiers2licenses(classifiers, lfac, lack) + for mlicense in metadata.get_all('License', ()): + # see spec: https://packaging.python.org/en/latest/specifications/core-metadata/#license + if len(mlicense) <= 0: + continue + license = lfac.make_from_string(mlicense, + license_acknowledgement=lack) if isinstance(license, DisjunctiveLicense) and license.id is None: # per spec, `License` is either a SPDX ID/Expression, or a license text(not name!) yield DisjunctiveLicense(name=f"declared license of '{metadata['Name']}'", + acknowledgement=lack, text=AttachedText(content=mlicense)) else: yield license + # TODO: iterate over "License-File" declarations and read them + # for mlfile in metadata.get_all('License-File'): ... def metadata2extrefs(metadata: 'PackageMetadata') -> Generator['ExternalReference', None, None]: diff --git a/cyclonedx_py/_internal/utils/pep621.py b/cyclonedx_py/_internal/utils/pep621.py index 838fd956..3c4e1085 100644 --- a/cyclonedx_py/_internal/utils/pep621.py +++ b/cyclonedx_py/_internal/utils/pep621.py @@ -31,34 +31,34 @@ from cyclonedx.factory.license import LicenseFactory from cyclonedx.model import AttachedText, Encoding, ExternalReference, XsUri from cyclonedx.model.component import Component -from cyclonedx.model.license import DisjunctiveLicense +from cyclonedx.model.license import DisjunctiveLicense, LicenseAcknowledgement from packaging.requirements import Requirement from .cdx import licenses_fixup, url_label_to_ert -from .license_trove_classifier import license_trove2spdx +from .license_trove_classifier import is_license_trove, license_trove2spdx if TYPE_CHECKING: from cyclonedx.model.component import ComponentType from cyclonedx.model.license import License -def classifiers2licenses(classifiers: Iterable[str], lfac: 'LicenseFactory') -> Generator['License', None, None]: - yield from map(lfac.make_from_string, - # `lfac.make_with_id` could be a shortcut, - # but some SPDX ID might not (yet) be known to CDX. - # So better go with `lfac.make_from_string` and be safe. - filter(None, - map(license_trove2spdx, - classifiers))) +def classifiers2licenses(classifiers: Iterable[str], lfac: 'LicenseFactory', + lack: 'LicenseAcknowledgement' + ) -> Generator['License', None, None]: + for c in classifiers: + if is_license_trove(c): + yield lfac.make_from_string(license_trove2spdx(c) or c, + license_acknowledgement=lack) def project2licenses(project: Dict[str, Any], lfac: 'LicenseFactory', *, fpath: str) -> Generator['License', None, None]: + lack = LicenseAcknowledgement.DECLARED if classifiers := project.get('classifiers'): # https://packaging.python.org/en/latest/specifications/pyproject-toml/#classifiers # https://peps.python.org/pep-0621/#classifiers # https://packaging.python.org/en/latest/specifications/core-metadata/#classifier-multiple-use - yield from classifiers2licenses(classifiers, lfac) + yield from classifiers2licenses(classifiers, lfac, lack) if plicense := project.get('license'): # https://packaging.python.org/en/latest/specifications/pyproject-toml/#license # https://peps.python.org/pep-0621/#license @@ -73,13 +73,16 @@ def project2licenses(project: Dict[str, Any], lfac: 'LicenseFactory', *, # > Tools MUST assume the file’s encoding is UTF-8. with open(join(dirname(fpath), plicense['file']), 'rb') as plicense_fileh: yield DisjunctiveLicense(name=f"declared license of '{project['name']}'", + acknowledgement=lack, text=AttachedText(encoding=Encoding.BASE_64, content=b64encode(plicense_fileh.read()).decode())) elif len(plicense_text := plicense.get('text', '')) > 0: - license = lfac.make_from_string(plicense_text) + license = lfac.make_from_string(plicense_text, + license_acknowledgement=lack) if isinstance(license, DisjunctiveLicense) and license.id is None: # per spec, `License` is either a SPDX ID/Expression, or a license text(not name!) yield DisjunctiveLicense(name=f"declared license of '{project['name']}'", + acknowledgement=lack, text=AttachedText(content=plicense_text)) else: yield license diff --git a/cyclonedx_py/_internal/utils/poetry.py b/cyclonedx_py/_internal/utils/poetry.py index 15f9b769..9b2a9ad4 100644 --- a/cyclonedx_py/_internal/utils/poetry.py +++ b/cyclonedx_py/_internal/utils/poetry.py @@ -28,6 +28,7 @@ from cyclonedx.factory.license import LicenseFactory from cyclonedx.model import ExternalReference, ExternalReferenceType, XsUri from cyclonedx.model.component import Component +from cyclonedx.model.license import LicenseAcknowledgement from packaging.requirements import Requirement from .cdx import licenses_fixup, url_label_to_ert @@ -64,12 +65,14 @@ def poetry2extrefs(poetry: Dict[str, Any]) -> Generator['ExternalReference', Non def poetry2component(poetry: Dict[str, Any], *, ctype: 'ComponentType') -> 'Component': licenses: List['License'] = [] lfac = LicenseFactory() + lack = LicenseAcknowledgement.DECLARED if 'classifiers' in poetry: - licenses.extend(classifiers2licenses(poetry['classifiers'], lfac)) + licenses.extend(classifiers2licenses(poetry['classifiers'], lfac, lack)) if 'license' in poetry: # per spec(https://python-poetry.org/docs/pyproject#license): # the `license` is intended to be the name of a license, not the license text itself. - licenses.append(lfac.make_from_string(poetry['license'])) + licenses.append(lfac.make_from_string(poetry['license'], + license_acknowledgement=lack)) return Component( type=ctype, diff --git a/pyproject.toml b/pyproject.toml index 43096bee..6281f640 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -69,7 +69,7 @@ cyclonedx-py = "cyclonedx_py._internal.cli:run" [tool.poetry.dependencies] python = "^3.8" -cyclonedx-python-lib = { version = "^7.0.0", extras = ["validation"] } +cyclonedx-python-lib = { version = "^7.3.0", extras = ["validation"] } packageurl-python = ">=0.11, <2" # keep in sync with same dep in `cyclonedx-python-lib` pip-requirements-parser = "^32.0" packaging = "^22 || ^23 || ^24" diff --git a/tests/_data/snapshots/environment/plain_editable-self_1.6.json.bin b/tests/_data/snapshots/environment/plain_editable-self_1.6.json.bin index 95245a58..670df120 100644 --- a/tests/_data/snapshots/environment/plain_editable-self_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_editable-self_1.6.json.bin @@ -13,6 +13,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } diff --git a/tests/_data/snapshots/environment/plain_editable-self_1.6.xml.bin b/tests/_data/snapshots/environment/plain_editable-self_1.6.xml.bin index a329c50f..9189d4b0 100644 --- a/tests/_data/snapshots/environment/plain_editable-self_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_editable-self_1.6.xml.bin @@ -55,7 +55,7 @@ 1.16.0 Python 2 and 3 compatibility utilities - + MIT diff --git a/tests/_data/snapshots/environment/plain_local_1.1.xml.bin b/tests/_data/snapshots/environment/plain_local_1.1.xml.bin index 1388cf70..d1db2747 100644 --- a/tests/_data/snapshots/environment/plain_local_1.1.xml.bin +++ b/tests/_data/snapshots/environment/plain_local_1.1.xml.bin @@ -26,6 +26,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + diff --git a/tests/_data/snapshots/environment/plain_local_1.2.json.bin b/tests/_data/snapshots/environment/plain_local_1.2.json.bin index f1b72c5a..74aea42f 100644 --- a/tests/_data/snapshots/environment/plain_local_1.2.json.bin +++ b/tests/_data/snapshots/environment/plain_local_1.2.json.bin @@ -40,6 +40,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "package-b", diff --git a/tests/_data/snapshots/environment/plain_local_1.2.xml.bin b/tests/_data/snapshots/environment/plain_local_1.2.xml.bin index 679e1774..61150894 100644 --- a/tests/_data/snapshots/environment/plain_local_1.2.xml.bin +++ b/tests/_data/snapshots/environment/plain_local_1.2.xml.bin @@ -45,6 +45,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + diff --git a/tests/_data/snapshots/environment/plain_local_1.3.json.bin b/tests/_data/snapshots/environment/plain_local_1.3.json.bin index b387890d..b74fc7a3 100644 --- a/tests/_data/snapshots/environment/plain_local_1.3.json.bin +++ b/tests/_data/snapshots/environment/plain_local_1.3.json.bin @@ -52,6 +52,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "package-b", diff --git a/tests/_data/snapshots/environment/plain_local_1.3.xml.bin b/tests/_data/snapshots/environment/plain_local_1.3.xml.bin index 99867867..1eaa9e31 100644 --- a/tests/_data/snapshots/environment/plain_local_1.3.xml.bin +++ b/tests/_data/snapshots/environment/plain_local_1.3.xml.bin @@ -51,6 +51,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + diff --git a/tests/_data/snapshots/environment/plain_local_1.4.json.bin b/tests/_data/snapshots/environment/plain_local_1.4.json.bin index 6bdf4c88..622555a9 100644 --- a/tests/_data/snapshots/environment/plain_local_1.4.json.bin +++ b/tests/_data/snapshots/environment/plain_local_1.4.json.bin @@ -52,6 +52,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "package-b", diff --git a/tests/_data/snapshots/environment/plain_local_1.4.xml.bin b/tests/_data/snapshots/environment/plain_local_1.4.xml.bin index 22337ef7..a2a1e908 100644 --- a/tests/_data/snapshots/environment/plain_local_1.4.xml.bin +++ b/tests/_data/snapshots/environment/plain_local_1.4.xml.bin @@ -78,6 +78,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + diff --git a/tests/_data/snapshots/environment/plain_local_1.5.json.bin b/tests/_data/snapshots/environment/plain_local_1.5.json.bin index ec24b2d8..4e2b448a 100644 --- a/tests/_data/snapshots/environment/plain_local_1.5.json.bin +++ b/tests/_data/snapshots/environment/plain_local_1.5.json.bin @@ -52,6 +52,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "package-b", diff --git a/tests/_data/snapshots/environment/plain_local_1.5.xml.bin b/tests/_data/snapshots/environment/plain_local_1.5.xml.bin index a59e09f4..62522a1d 100644 --- a/tests/_data/snapshots/environment/plain_local_1.5.xml.bin +++ b/tests/_data/snapshots/environment/plain_local_1.5.xml.bin @@ -78,6 +78,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + diff --git a/tests/_data/snapshots/environment/plain_local_1.6.json.bin b/tests/_data/snapshots/environment/plain_local_1.6.json.bin index 0a853aa6..602fbe26 100644 --- a/tests/_data/snapshots/environment/plain_local_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_local_1.6.json.bin @@ -19,6 +19,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "name": "declared license of 'package-a'", "text": { "content": "some license text", @@ -50,8 +51,15 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "Apache-2.0" } + }, + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "package-b", @@ -70,6 +78,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/environment/plain_local_1.6.xml.bin b/tests/_data/snapshots/environment/plain_local_1.6.xml.bin index cdd5889c..21001a09 100644 --- a/tests/_data/snapshots/environment/plain_local_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_local_1.6.xml.bin @@ -55,7 +55,7 @@ 23.42 some package A - + declared license of 'package-a' some license text @@ -75,9 +75,12 @@ 23.42 some package B - + Apache-2.0 + + License :: OSI Approved :: Apache Software License + @@ -94,7 +97,7 @@ 23.42 some package C - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/environment/plain_no-deps_1.6.json.bin b/tests/_data/snapshots/environment/plain_no-deps_1.6.json.bin index 3e3dd692..60631689 100644 --- a/tests/_data/snapshots/environment/plain_no-deps_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_no-deps_1.6.json.bin @@ -42,6 +42,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/environment/plain_no-deps_1.6.xml.bin b/tests/_data/snapshots/environment/plain_no-deps_1.6.xml.bin index 144cdcac..8081bd9d 100644 --- a/tests/_data/snapshots/environment/plain_no-deps_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_no-deps_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 packages with all meta, but no deps - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/environment/plain_normalize-packagename_1.6.json.bin b/tests/_data/snapshots/environment/plain_normalize-packagename_1.6.json.bin index 90d55279..721a7a36 100644 --- a/tests/_data/snapshots/environment/plain_normalize-packagename_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_normalize-packagename_1.6.json.bin @@ -28,11 +28,13 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } }, { "license": { + "acknowledgement": "declared", "name": "declared license of 'ruamel.yaml'", "text": { "content": "MIT license", @@ -65,6 +67,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -87,6 +90,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } diff --git a/tests/_data/snapshots/environment/plain_normalize-packagename_1.6.xml.bin b/tests/_data/snapshots/environment/plain_normalize-packagename_1.6.xml.bin index 99d58186..0f4ee721 100644 --- a/tests/_data/snapshots/environment/plain_normalize-packagename_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_normalize-packagename_1.6.xml.bin @@ -55,10 +55,10 @@ 0.18.5 ruamel.yaml is a YAML parser/emitter that supports roundtrip preservation of comments, seq/map flow style, and map key order - + MIT - + declared license of 'ruamel.yaml' MIT license @@ -91,7 +91,7 @@ 0.2.8 C version of reader, parser and emitter for ruamel.yaml derived from libyaml - + MIT @@ -108,7 +108,7 @@ 0.2.7 jinja2 pre and post-processor to update with YAML - + MIT diff --git a/tests/_data/snapshots/environment/plain_private-packages_1.6.json.bin b/tests/_data/snapshots/environment/plain_private-packages_1.6.json.bin index 83a98e36..783d2d5e 100644 --- a/tests/_data/snapshots/environment/plain_private-packages_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_private-packages_1.6.json.bin @@ -24,6 +24,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -46,6 +47,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } diff --git a/tests/_data/snapshots/environment/plain_private-packages_1.6.xml.bin b/tests/_data/snapshots/environment/plain_private-packages_1.6.xml.bin index 57dbf60f..586af2fd 100644 --- a/tests/_data/snapshots/environment/plain_private-packages_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_private-packages_1.6.xml.bin @@ -55,7 +55,7 @@ 1.16.0 Python 2 and 3 compatibility utilities - + MIT @@ -79,7 +79,7 @@ 0.10.2 Python Library for Tom's Obvious, Minimal Language - + MIT diff --git a/tests/_data/snapshots/environment/plain_via-pdm_1.6.json.bin b/tests/_data/snapshots/environment/plain_via-pdm_1.6.json.bin index ecc222c6..6e4020e7 100644 --- a/tests/_data/snapshots/environment/plain_via-pdm_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_via-pdm_1.6.json.bin @@ -13,6 +13,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -40,6 +41,7 @@ "description": "environment via PDM", "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/environment/plain_via-pdm_1.6.xml.bin b/tests/_data/snapshots/environment/plain_via-pdm_1.6.xml.bin index bcd81480..e63e9873 100644 --- a/tests/_data/snapshots/environment/plain_via-pdm_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_via-pdm_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 environment via PDM - Apache-2.0 OR MIT + Apache-2.0 OR MIT @@ -58,7 +58,7 @@ 0.10.2 Python Library for Tom's Obvious, Minimal Language - + MIT diff --git a/tests/_data/snapshots/environment/plain_via-pipenv_1.6.json.bin b/tests/_data/snapshots/environment/plain_via-pipenv_1.6.json.bin index b47e124a..441e4293 100644 --- a/tests/_data/snapshots/environment/plain_via-pipenv_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_via-pipenv_1.6.json.bin @@ -13,6 +13,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -72,6 +73,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/environment/plain_via-pipenv_1.6.xml.bin b/tests/_data/snapshots/environment/plain_via-pipenv_1.6.xml.bin index 950e5878..2a3679b4 100644 --- a/tests/_data/snapshots/environment/plain_via-pipenv_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_via-pipenv_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 environment via Pipenv - Apache-2.0 OR MIT + Apache-2.0 OR MIT @@ -84,7 +84,7 @@ 0.10.2 Python Library for Tom's Obvious, Minimal Language - + MIT diff --git a/tests/_data/snapshots/environment/plain_via-poetry_1.6.json.bin b/tests/_data/snapshots/environment/plain_via-poetry_1.6.json.bin index af4f5aa4..20eefc85 100644 --- a/tests/_data/snapshots/environment/plain_via-poetry_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_via-poetry_1.6.json.bin @@ -13,6 +13,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -72,6 +73,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/environment/plain_via-poetry_1.6.xml.bin b/tests/_data/snapshots/environment/plain_via-poetry_1.6.xml.bin index 8f71c634..fd8eed5b 100644 --- a/tests/_data/snapshots/environment/plain_via-poetry_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_via-poetry_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 environment via Poetry - Apache-2.0 OR MIT + Apache-2.0 OR MIT @@ -84,7 +84,7 @@ 0.10.2 Python Library for Tom's Obvious, Minimal Language - + MIT diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin index 66824561..447fc37d 100644 --- a/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin @@ -5,6 +5,11 @@ arrow 1.3.0 Better dates & times for Python + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/arrow@1.3.0 @@ -83,6 +88,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/cyclonedx-python-lib@6.0.0 @@ -138,6 +146,9 @@ 1.5.1 Validates fully-qualified domain names against RFC 1123, so that they are acceptable to modern bowsers + + License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0) + declared license of 'fqdn' MPL 2.0 @@ -155,6 +166,11 @@ idna 3.6 Internationalized Domain Names in Applications (IDNA) + + + License :: OSI Approved :: BSD License + + pkg:pypi/idna@3.6 @@ -175,6 +191,11 @@ importlib-resources 6.1.1 Read resources from Python packages + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/importlib-resources@6.1.1 @@ -225,6 +246,9 @@ 2.4 Identify specific nodes in a JSON document (RFC 6901) + + License :: OSI Approved :: BSD License + declared license of 'jsonpointer' Modified BSD License @@ -341,6 +365,9 @@ BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/lxml@4.9.4 @@ -396,6 +423,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/py-serializable@0.16.0 @@ -418,6 +448,12 @@ 2.8.2 Extensions to the standard Python datetime module + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + declared license of 'python-dateutil' Dual License @@ -581,6 +617,9 @@ 2.4.0 Sorted Containers -- Sorted List, Sorted Dict, Sorted Set + + License :: OSI Approved :: Apache Software License + declared license of 'sortedcontainers' Apache 2.0 @@ -599,6 +638,9 @@ 2.8.19.14 Typing stubs for python-dateutil + + License :: OSI Approved :: Apache Software License + declared license of 'types-python-dateutil' Apache-2.0 license @@ -657,6 +699,9 @@ BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/webcolors@1.13 diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin index d9573345..0a52e833 100644 --- a/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin +++ b/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin @@ -20,6 +20,13 @@ "url": "https://github.com/arrow-py/arrow" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + } + ], "name": "arrow", "purl": "pkg:pypi/arrow@1.3.0", "type": "library", @@ -129,6 +136,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "cyclonedx-python-lib", @@ -183,6 +195,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)" + } + }, { "license": { "name": "declared license of 'fqdn'", @@ -218,6 +235,13 @@ "url": "https://github.com/kjd/idna/blob/master/HISTORY.rst" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + } + ], "name": "idna", "purl": "pkg:pypi/idna@3.6", "type": "library", @@ -238,6 +262,13 @@ "url": "https://github.com/python/importlib_resources" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + } + ], "name": "importlib-resources", "purl": "pkg:pypi/importlib-resources@6.1.1", "type": "library", @@ -300,6 +331,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + }, { "license": { "name": "declared license of 'jsonpointer'", @@ -456,6 +492,11 @@ "license": { "id": "BSD-3-Clause" } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } } ], "name": "lxml", @@ -532,6 +573,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "py-serializable", @@ -560,6 +606,16 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + }, { "license": { "name": "declared license of 'python-dateutil'", @@ -769,6 +825,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, { "license": { "name": "declared license of 'sortedcontainers'", @@ -815,6 +876,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, { "license": { "name": "declared license of 'types-python-dateutil'", @@ -881,6 +947,11 @@ "license": { "id": "BSD-3-Clause" } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } } ], "name": "webcolors", diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin index 6d638e79..59c1d097 100644 --- a/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin @@ -24,6 +24,11 @@ arrow 1.3.0 Better dates & times for Python + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/arrow@1.3.0 @@ -102,6 +107,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/cyclonedx-python-lib@6.0.0 @@ -157,6 +165,9 @@ 1.5.1 Validates fully-qualified domain names against RFC 1123, so that they are acceptable to modern bowsers + + License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0) + declared license of 'fqdn' MPL 2.0 @@ -174,6 +185,11 @@ idna 3.6 Internationalized Domain Names in Applications (IDNA) + + + License :: OSI Approved :: BSD License + + pkg:pypi/idna@3.6 @@ -194,6 +210,11 @@ importlib-resources 6.1.1 Read resources from Python packages + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/importlib-resources@6.1.1 @@ -244,6 +265,9 @@ 2.4 Identify specific nodes in a JSON document (RFC 6901) + + License :: OSI Approved :: BSD License + declared license of 'jsonpointer' Modified BSD License @@ -360,6 +384,9 @@ BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/lxml@4.9.4 @@ -415,6 +442,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/py-serializable@0.16.0 @@ -437,6 +467,12 @@ 2.8.2 Extensions to the standard Python datetime module + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + declared license of 'python-dateutil' Dual License @@ -600,6 +636,9 @@ 2.4.0 Sorted Containers -- Sorted List, Sorted Dict, Sorted Set + + License :: OSI Approved :: Apache Software License + declared license of 'sortedcontainers' Apache 2.0 @@ -618,6 +657,9 @@ 2.8.19.14 Typing stubs for python-dateutil + + License :: OSI Approved :: Apache Software License + declared license of 'types-python-dateutil' Apache-2.0 license @@ -676,6 +718,9 @@ BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/webcolors@1.13 diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin index 673d3a4d..fc3e8582 100644 --- a/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin +++ b/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin @@ -20,6 +20,13 @@ "url": "https://github.com/arrow-py/arrow" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + } + ], "name": "arrow", "purl": "pkg:pypi/arrow@1.3.0", "type": "library", @@ -129,6 +136,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "cyclonedx-python-lib", @@ -189,6 +201,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)" + } + }, { "license": { "name": "declared license of 'fqdn'", @@ -224,6 +241,13 @@ "url": "https://github.com/kjd/idna/blob/master/HISTORY.rst" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + } + ], "name": "idna", "purl": "pkg:pypi/idna@3.6", "type": "library", @@ -244,6 +268,13 @@ "url": "https://github.com/python/importlib_resources" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + } + ], "name": "importlib-resources", "purl": "pkg:pypi/importlib-resources@6.1.1", "type": "library", @@ -306,6 +337,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + }, { "license": { "name": "declared license of 'jsonpointer'", @@ -468,6 +504,11 @@ "license": { "id": "BSD-3-Clause" } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } } ], "name": "lxml", @@ -544,6 +585,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "py-serializable", @@ -572,6 +618,16 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + }, { "license": { "name": "declared license of 'python-dateutil'", @@ -781,6 +837,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, { "license": { "name": "declared license of 'sortedcontainers'", @@ -827,6 +888,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, { "license": { "name": "declared license of 'types-python-dateutil'", @@ -893,6 +959,11 @@ "license": { "id": "BSD-3-Clause" } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } } ], "name": "webcolors", diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin index deb346e6..79d4f9e3 100644 --- a/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin @@ -27,6 +27,11 @@ arrow 1.3.0 Better dates & times for Python + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/arrow@1.3.0 @@ -105,6 +110,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/cyclonedx-python-lib@6.0.0 @@ -163,6 +171,9 @@ 1.5.1 Validates fully-qualified domain names against RFC 1123, so that they are acceptable to modern bowsers + + License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0) + declared license of 'fqdn' MPL 2.0 @@ -180,6 +191,11 @@ idna 3.6 Internationalized Domain Names in Applications (IDNA) + + + License :: OSI Approved :: BSD License + + pkg:pypi/idna@3.6 @@ -200,6 +216,11 @@ importlib-resources 6.1.1 Read resources from Python packages + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/importlib-resources@6.1.1 @@ -250,6 +271,9 @@ 2.4 Identify specific nodes in a JSON document (RFC 6901) + + License :: OSI Approved :: BSD License + declared license of 'jsonpointer' Modified BSD License @@ -369,6 +393,9 @@ BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/lxml@4.9.4 @@ -424,6 +451,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/py-serializable@0.16.0 @@ -446,6 +476,12 @@ 2.8.2 Extensions to the standard Python datetime module + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + declared license of 'python-dateutil' Dual License @@ -609,6 +645,9 @@ 2.4.0 Sorted Containers -- Sorted List, Sorted Dict, Sorted Set + + License :: OSI Approved :: Apache Software License + declared license of 'sortedcontainers' Apache 2.0 @@ -627,6 +666,9 @@ 2.8.19.14 Typing stubs for python-dateutil + + License :: OSI Approved :: Apache Software License + declared license of 'types-python-dateutil' Apache-2.0 license @@ -685,6 +727,9 @@ BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/webcolors@1.13 diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin index 25ea23d5..4106026f 100644 --- a/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin +++ b/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin @@ -20,6 +20,13 @@ "url": "https://github.com/arrow-py/arrow" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + } + ], "name": "arrow", "purl": "pkg:pypi/arrow@1.3.0", "type": "library", @@ -129,6 +136,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "cyclonedx-python-lib", @@ -189,6 +201,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)" + } + }, { "license": { "name": "declared license of 'fqdn'", @@ -224,6 +241,13 @@ "url": "https://github.com/kjd/idna/blob/master/HISTORY.rst" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + } + ], "name": "idna", "purl": "pkg:pypi/idna@3.6", "type": "library", @@ -244,6 +268,13 @@ "url": "https://github.com/python/importlib_resources" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + } + ], "name": "importlib-resources", "purl": "pkg:pypi/importlib-resources@6.1.1", "type": "library", @@ -306,6 +337,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + }, { "license": { "name": "declared license of 'jsonpointer'", @@ -468,6 +504,11 @@ "license": { "id": "BSD-3-Clause" } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } } ], "name": "lxml", @@ -544,6 +585,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "py-serializable", @@ -572,6 +618,16 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + }, { "license": { "name": "declared license of 'python-dateutil'", @@ -781,6 +837,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, { "license": { "name": "declared license of 'sortedcontainers'", @@ -827,6 +888,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, { "license": { "name": "declared license of 'types-python-dateutil'", @@ -893,6 +959,11 @@ "license": { "id": "BSD-3-Clause" } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } } ], "name": "webcolors", diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin index 91dd03a1..98d29529 100644 --- a/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin @@ -54,6 +54,11 @@ arrow 1.3.0 Better dates & times for Python + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/arrow@1.3.0 @@ -132,6 +137,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/cyclonedx-python-lib@6.0.0 @@ -190,6 +198,9 @@ 1.5.1 Validates fully-qualified domain names against RFC 1123, so that they are acceptable to modern bowsers + + License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0) + declared license of 'fqdn' MPL 2.0 @@ -207,6 +218,11 @@ idna 3.6 Internationalized Domain Names in Applications (IDNA) + + + License :: OSI Approved :: BSD License + + pkg:pypi/idna@3.6 @@ -227,6 +243,11 @@ importlib-resources 6.1.1 Read resources from Python packages + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/importlib-resources@6.1.1 @@ -277,6 +298,9 @@ 2.4 Identify specific nodes in a JSON document (RFC 6901) + + License :: OSI Approved :: BSD License + declared license of 'jsonpointer' Modified BSD License @@ -396,6 +420,9 @@ BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/lxml@4.9.4 @@ -451,6 +478,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/py-serializable@0.16.0 @@ -473,6 +503,12 @@ 2.8.2 Extensions to the standard Python datetime module + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + declared license of 'python-dateutil' Dual License @@ -636,6 +672,9 @@ 2.4.0 Sorted Containers -- Sorted List, Sorted Dict, Sorted Set + + License :: OSI Approved :: Apache Software License + declared license of 'sortedcontainers' Apache 2.0 @@ -654,6 +693,9 @@ 2.8.19.14 Typing stubs for python-dateutil + + License :: OSI Approved :: Apache Software License + declared license of 'types-python-dateutil' Apache-2.0 license @@ -712,6 +754,9 @@ BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/webcolors@1.13 diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin index 79464274..884049b9 100644 --- a/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin +++ b/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin @@ -20,6 +20,13 @@ "url": "https://github.com/arrow-py/arrow" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + } + ], "name": "arrow", "purl": "pkg:pypi/arrow@1.3.0", "type": "library", @@ -129,6 +136,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "cyclonedx-python-lib", @@ -189,6 +201,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)" + } + }, { "license": { "name": "declared license of 'fqdn'", @@ -224,6 +241,13 @@ "url": "https://github.com/kjd/idna/blob/master/HISTORY.rst" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + } + ], "name": "idna", "purl": "pkg:pypi/idna@3.6", "type": "library", @@ -244,6 +268,13 @@ "url": "https://github.com/python/importlib_resources" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + } + ], "name": "importlib-resources", "purl": "pkg:pypi/importlib-resources@6.1.1", "type": "library", @@ -306,6 +337,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + }, { "license": { "name": "declared license of 'jsonpointer'", @@ -468,6 +504,11 @@ "license": { "id": "BSD-3-Clause" } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } } ], "name": "lxml", @@ -544,6 +585,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "py-serializable", @@ -572,6 +618,16 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + }, { "license": { "name": "declared license of 'python-dateutil'", @@ -781,6 +837,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, { "license": { "name": "declared license of 'sortedcontainers'", @@ -827,6 +888,11 @@ } ], "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, { "license": { "name": "declared license of 'types-python-dateutil'", @@ -893,6 +959,11 @@ "license": { "id": "BSD-3-Clause" } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } } ], "name": "webcolors", diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin index 295897a7..11375eb7 100644 --- a/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin @@ -54,6 +54,11 @@ arrow 1.3.0 Better dates & times for Python + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/arrow@1.3.0 @@ -132,6 +137,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/cyclonedx-python-lib@6.0.0 @@ -190,6 +198,9 @@ 1.5.1 Validates fully-qualified domain names against RFC 1123, so that they are acceptable to modern bowsers + + License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0) + declared license of 'fqdn' MPL 2.0 @@ -207,6 +218,11 @@ idna 3.6 Internationalized Domain Names in Applications (IDNA) + + + License :: OSI Approved :: BSD License + + pkg:pypi/idna@3.6 @@ -227,6 +243,11 @@ importlib-resources 6.1.1 Read resources from Python packages + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/importlib-resources@6.1.1 @@ -277,6 +298,9 @@ 2.4 Identify specific nodes in a JSON document (RFC 6901) + + License :: OSI Approved :: BSD License + declared license of 'jsonpointer' Modified BSD License @@ -396,6 +420,9 @@ BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/lxml@4.9.4 @@ -451,6 +478,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/py-serializable@0.16.0 @@ -473,6 +503,12 @@ 2.8.2 Extensions to the standard Python datetime module + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + declared license of 'python-dateutil' Dual License @@ -636,6 +672,9 @@ 2.4.0 Sorted Containers -- Sorted List, Sorted Dict, Sorted Set + + License :: OSI Approved :: Apache Software License + declared license of 'sortedcontainers' Apache 2.0 @@ -654,6 +693,9 @@ 2.8.19.14 Typing stubs for python-dateutil + + License :: OSI Approved :: Apache Software License + declared license of 'types-python-dateutil' Apache-2.0 license @@ -712,6 +754,9 @@ BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/webcolors@1.13 diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin index 2ca4f772..1966ac04 100644 --- a/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin @@ -20,6 +20,14 @@ "url": "https://github.com/arrow-py/arrow" } ], + "licenses": [ + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: Apache Software License" + } + } + ], "name": "arrow", "purl": "pkg:pypi/arrow@1.3.0", "type": "library", @@ -63,6 +71,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -85,6 +94,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "BSD-2-Clause" } } @@ -127,8 +137,15 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "Apache-2.0" } + }, + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "cyclonedx-python-lib", @@ -160,11 +177,13 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "Python-2.0" } }, { "license": { + "acknowledgement": "declared", "name": "declared license of 'defusedxml'", "text": { "content": "PSFL", @@ -191,6 +210,13 @@ "licenses": [ { "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)" + } + }, + { + "license": { + "acknowledgement": "declared", "name": "declared license of 'fqdn'", "text": { "content": "MPL 2.0", @@ -224,6 +250,14 @@ "url": "https://github.com/kjd/idna/blob/master/HISTORY.rst" } ], + "licenses": [ + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: BSD License" + } + } + ], "name": "idna", "purl": "pkg:pypi/idna@3.6", "type": "library", @@ -244,6 +278,14 @@ "url": "https://github.com/python/importlib_resources" } ], + "licenses": [ + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: Apache Software License" + } + } + ], "name": "importlib-resources", "purl": "pkg:pypi/importlib-resources@6.1.1", "type": "library", @@ -277,11 +319,13 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "ISC" } }, { "license": { + "acknowledgement": "declared", "name": "declared license of 'isoduration'", "text": { "content": "UNKNOWN", @@ -308,6 +352,13 @@ "licenses": [ { "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: BSD License" + } + }, + { + "license": { + "acknowledgement": "declared", "name": "declared license of 'jsonpointer'", "text": { "content": "Modified BSD License", @@ -364,6 +415,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -417,6 +469,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -439,6 +492,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "Apache-2.0" } } @@ -466,8 +520,15 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "BSD-3-Clause" } + }, + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: BSD License" + } } ], "name": "lxml", @@ -488,6 +549,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -510,6 +572,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -542,8 +605,15 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "Apache-2.0" } + }, + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "py-serializable", @@ -574,6 +644,19 @@ "licenses": [ { "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: BSD License" + } + }, + { + "license": { + "acknowledgement": "declared", "name": "declared license of 'python-dateutil'", "text": { "content": "Dual License", @@ -625,6 +708,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -647,11 +731,13 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } }, { "license": { + "acknowledgement": "declared", "name": "declared license of 'rfc3339-validator'", "text": { "content": "MIT license", @@ -683,11 +769,13 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "GPL-3.0-or-later" } }, { "license": { + "acknowledgement": "declared", "name": "declared license of 'rfc3987'", "text": { "content": "GNU GPLv3+", @@ -739,6 +827,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -761,6 +850,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -783,6 +873,13 @@ "licenses": [ { "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "acknowledgement": "declared", "name": "declared license of 'sortedcontainers'", "text": { "content": "Apache 2.0", @@ -829,6 +926,13 @@ "licenses": [ { "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "acknowledgement": "declared", "name": "declared license of 'types-python-dateutil'", "text": { "content": "Apache-2.0 license", @@ -855,11 +959,13 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } }, { "license": { + "acknowledgement": "declared", "name": "declared license of 'uri-template'", "text": { "content": "MIT License", @@ -891,8 +997,15 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "BSD-3-Clause" } + }, + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: BSD License" + } } ], "name": "webcolors", @@ -913,6 +1026,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin index 6e796891..921e6243 100644 --- a/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin @@ -54,6 +54,11 @@ arrow 1.3.0 Better dates & times for Python + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/arrow@1.3.0 @@ -75,7 +80,7 @@ 23.1.0 Classes Without Boilerplate - + MIT @@ -112,7 +117,7 @@ 4.0 Define boolean algebras, create and parse boolean expressions and create custom boolean DSL. - + BSD-2-Clause @@ -129,9 +134,12 @@ 6.0.0 Python library for CycloneDX - + Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/cyclonedx-python-lib@6.0.0 @@ -165,10 +173,10 @@ 0.7.1 XML bomb protection for Python stdlib modules - + Python-2.0 - + declared license of 'defusedxml' PSFL @@ -190,7 +198,10 @@ 1.5.1 Validates fully-qualified domain names against RFC 1123, so that they are acceptable to modern bowsers - + + License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0) + + declared license of 'fqdn' MPL 2.0 @@ -207,6 +218,11 @@ idna 3.6 Internationalized Domain Names in Applications (IDNA) + + + License :: OSI Approved :: BSD License + + pkg:pypi/idna@3.6 @@ -227,6 +243,11 @@ importlib-resources 6.1.1 Read resources from Python packages + + + License :: OSI Approved :: Apache Software License + + pkg:pypi/importlib-resources@6.1.1 @@ -244,10 +265,10 @@ 20.11.0 Operations with ISO 8601 durations - + ISC - + declared license of 'isoduration' UNKNOWN @@ -277,7 +298,10 @@ 2.4 Identify specific nodes in a JSON document (RFC 6901) - + + License :: OSI Approved :: BSD License + + declared license of 'jsonpointer' Modified BSD License @@ -295,7 +319,7 @@ 4.20.0 An implementation of JSON Schema validation for Python - + MIT @@ -339,7 +363,7 @@ 2023.11.2 The JSON Schema meta-schemas and vocabularies, exposed as a Registry - + MIT @@ -376,7 +400,7 @@ 30.2.0 license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic. - + Apache-2.0 @@ -393,9 +417,12 @@ 4.9.4 Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API. - + BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/lxml@4.9.4 @@ -414,7 +441,7 @@ 0.13.1 A purl aka. Package URL parser and builder - + MIT @@ -431,7 +458,7 @@ 1.3.10 Resolve a name to an object. - + MIT @@ -448,9 +475,12 @@ 0.16.0 Library for serializing and deserializing Python Objects to and from JSON and XML. - + Apache-2.0 + + License :: OSI Approved :: Apache Software License + pkg:pypi/py-serializable@0.16.0 @@ -473,7 +503,13 @@ 2.8.2 Extensions to the standard Python datetime module - + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + + declared license of 'python-dateutil' Dual License @@ -499,7 +535,7 @@ 0.32.0 JSON Referencing + Python - + MIT @@ -536,10 +572,10 @@ 0.1.4 A pure python RFC3339 validator - + MIT - + declared license of 'rfc3339-validator' MIT license @@ -557,10 +593,10 @@ 1.3.8 Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987) - + GPL-3.0-or-later - + declared license of 'rfc3987' GNU GPLv3+ @@ -582,7 +618,7 @@ 0.15.2 Python bindings to Rust's persistent data structures (rpds) - + MIT @@ -619,7 +655,7 @@ 1.16.0 Python 2 and 3 compatibility utilities - + MIT @@ -636,7 +672,10 @@ 2.4.0 Sorted Containers -- Sorted List, Sorted Dict, Sorted Set - + + License :: OSI Approved :: Apache Software License + + declared license of 'sortedcontainers' Apache 2.0 @@ -654,7 +693,10 @@ 2.8.19.14 Typing stubs for python-dateutil - + + License :: OSI Approved :: Apache Software License + + declared license of 'types-python-dateutil' Apache-2.0 license @@ -688,10 +730,10 @@ 1.3.0 RFC 6570 URI Template Processor - + MIT - + declared license of 'uri-template' MIT License @@ -709,9 +751,12 @@ 1.13 A library for working with the color formats defined by HTML and CSS. - + BSD-3-Clause + + License :: OSI Approved :: BSD License + pkg:pypi/webcolors@1.13 @@ -730,7 +775,7 @@ 3.17.0 Backport of pathlib-compatible object wrapper for zip files - + MIT diff --git a/tests/_data/snapshots/environment/plain_with-license-file_1.6.json.bin b/tests/_data/snapshots/environment/plain_with-license-file_1.6.json.bin index ba447cc8..9eb7de34 100644 --- a/tests/_data/snapshots/environment/plain_with-license-file_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_with-license-file_1.6.json.bin @@ -11,6 +11,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "name": "declared license of 'with-license-file'", "text": { "content": "VGhpcyBpcyB0aGUgbGljZW5zZSB0ZXh0IG9mIHRoaXMgY29tcG9uZW50LgpJdCBpcyBleHBlY3RlZCB0byBiZSBhdmFpbGFibGUgaW4gYSBTQk9NLgo=", diff --git a/tests/_data/snapshots/environment/plain_with-license-file_1.6.xml.bin b/tests/_data/snapshots/environment/plain_with-license-file_1.6.xml.bin index 138e0699..89460f5b 100644 --- a/tests/_data/snapshots/environment/plain_with-license-file_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-license-file_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 with licenses from file, instead of SPDX ID/Expression - + declared license of 'with-license-file' VGhpcyBpcyB0aGUgbGljZW5zZSB0ZXh0IG9mIHRoaXMgY29tcG9uZW50LgpJdCBpcyBleHBlY3RlZCB0byBiZSBhdmFpbGFibGUgaW4gYSBTQk9NLgo= diff --git a/tests/_data/snapshots/environment/plain_with-license-text_1.1.xml.bin b/tests/_data/snapshots/environment/plain_with-license-text_1.1.xml.bin index b57c90f3..7b5ef01b 100644 --- a/tests/_data/snapshots/environment/plain_with-license-text_1.1.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-license-text_1.1.xml.bin @@ -26,6 +26,9 @@ Apache-2.0 + + License :: OSI Approved :: Apache Software License + diff --git a/tests/_data/snapshots/environment/plain_with-license-text_1.2.json.bin b/tests/_data/snapshots/environment/plain_with-license-text_1.2.json.bin index a07cf4c4..56683c7f 100644 --- a/tests/_data/snapshots/environment/plain_with-license-text_1.2.json.bin +++ b/tests/_data/snapshots/environment/plain_with-license-text_1.2.json.bin @@ -40,6 +40,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "package-b", diff --git a/tests/_data/snapshots/environment/plain_with-license-text_1.2.xml.bin b/tests/_data/snapshots/environment/plain_with-license-text_1.2.xml.bin index d924cabd..bb207cb6 100644 --- a/tests/_data/snapshots/environment/plain_with-license-text_1.2.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-license-text_1.2.xml.bin @@ -52,6 +52,9 @@ It is expected to be available in a SBOM. Apache-2.0 + + License :: OSI Approved :: Apache Software License + diff --git a/tests/_data/snapshots/environment/plain_with-license-text_1.3.json.bin b/tests/_data/snapshots/environment/plain_with-license-text_1.3.json.bin index 5fc0ff8c..fb9a12f9 100644 --- a/tests/_data/snapshots/environment/plain_with-license-text_1.3.json.bin +++ b/tests/_data/snapshots/environment/plain_with-license-text_1.3.json.bin @@ -52,6 +52,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "package-b", diff --git a/tests/_data/snapshots/environment/plain_with-license-text_1.3.xml.bin b/tests/_data/snapshots/environment/plain_with-license-text_1.3.xml.bin index 9929fff1..bab72695 100644 --- a/tests/_data/snapshots/environment/plain_with-license-text_1.3.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-license-text_1.3.xml.bin @@ -58,6 +58,9 @@ It is expected to be available in a SBOM. Apache-2.0 + + License :: OSI Approved :: Apache Software License + diff --git a/tests/_data/snapshots/environment/plain_with-license-text_1.4.json.bin b/tests/_data/snapshots/environment/plain_with-license-text_1.4.json.bin index e41eff71..969721e3 100644 --- a/tests/_data/snapshots/environment/plain_with-license-text_1.4.json.bin +++ b/tests/_data/snapshots/environment/plain_with-license-text_1.4.json.bin @@ -52,6 +52,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "package-b", diff --git a/tests/_data/snapshots/environment/plain_with-license-text_1.4.xml.bin b/tests/_data/snapshots/environment/plain_with-license-text_1.4.xml.bin index f4b58571..c4ca4f86 100644 --- a/tests/_data/snapshots/environment/plain_with-license-text_1.4.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-license-text_1.4.xml.bin @@ -85,6 +85,9 @@ It is expected to be available in a SBOM. Apache-2.0 + + License :: OSI Approved :: Apache Software License + diff --git a/tests/_data/snapshots/environment/plain_with-license-text_1.5.json.bin b/tests/_data/snapshots/environment/plain_with-license-text_1.5.json.bin index 1215ff89..ab848066 100644 --- a/tests/_data/snapshots/environment/plain_with-license-text_1.5.json.bin +++ b/tests/_data/snapshots/environment/plain_with-license-text_1.5.json.bin @@ -52,6 +52,11 @@ "license": { "id": "Apache-2.0" } + }, + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "package-b", diff --git a/tests/_data/snapshots/environment/plain_with-license-text_1.5.xml.bin b/tests/_data/snapshots/environment/plain_with-license-text_1.5.xml.bin index 71e31ea7..d56840b9 100644 --- a/tests/_data/snapshots/environment/plain_with-license-text_1.5.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-license-text_1.5.xml.bin @@ -85,6 +85,9 @@ It is expected to be available in a SBOM. Apache-2.0 + + License :: OSI Approved :: Apache Software License + diff --git a/tests/_data/snapshots/environment/plain_with-license-text_1.6.json.bin b/tests/_data/snapshots/environment/plain_with-license-text_1.6.json.bin index c1ea7d37..74303268 100644 --- a/tests/_data/snapshots/environment/plain_with-license-text_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_with-license-text_1.6.json.bin @@ -19,6 +19,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "name": "declared license of 'package-a'", "text": { "content": "some license text", @@ -50,8 +51,15 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "Apache-2.0" } + }, + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: Apache Software License" + } } ], "name": "package-b", @@ -76,6 +84,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], @@ -105,6 +114,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "name": "declared license of 'with-license-text'", "text": { "content": "This is the license text of this component.\nIt is expected to be available in a SBOM.", diff --git a/tests/_data/snapshots/environment/plain_with-license-text_1.6.xml.bin b/tests/_data/snapshots/environment/plain_with-license-text_1.6.xml.bin index 2fb35544..61dd69d2 100644 --- a/tests/_data/snapshots/environment/plain_with-license-text_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-license-text_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 with licenses as text, instead of SPDX ID/Expression - + declared license of 'with-license-text' This is the license text of this component. It is expected to be available in a SBOM. @@ -62,7 +62,7 @@ It is expected to be available in a SBOM. 23.42 some package A - + declared license of 'package-a' some license text @@ -82,9 +82,12 @@ It is expected to be available in a SBOM. 23.42 some package B - + Apache-2.0 + + License :: OSI Approved :: Apache Software License + @@ -101,7 +104,7 @@ It is expected to be available in a SBOM. 23.42 some package C - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/environment/plain_with-urls_1.1.xml.bin b/tests/_data/snapshots/environment/plain_with-urls_1.1.xml.bin index 142be2d9..f56c37c8 100644 --- a/tests/_data/snapshots/environment/plain_with-urls_1.1.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-urls_1.1.xml.bin @@ -5,6 +5,14 @@ packaging 23.2 Core utilities for Python packages + + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + + pkg:pypi/packaging@23.2?vcs_url=git%2Bhttps://github.com/pypa/packaging.git%40b3a5d7d68991c040615d5345bb55f61de53ba176 diff --git a/tests/_data/snapshots/environment/plain_with-urls_1.2.json.bin b/tests/_data/snapshots/environment/plain_with-urls_1.2.json.bin index e0478567..1464717f 100644 --- a/tests/_data/snapshots/environment/plain_with-urls_1.2.json.bin +++ b/tests/_data/snapshots/environment/plain_with-urls_1.2.json.bin @@ -20,6 +20,18 @@ "url": "https://github.com/pypa/packaging.git#b3a5d7d68991c040615d5345bb55f61de53ba176" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + } + ], "name": "packaging", "purl": "pkg:pypi/packaging@23.2?vcs_url=git%2Bhttps://github.com/pypa/packaging.git%40b3a5d7d68991c040615d5345bb55f61de53ba176", "type": "library", diff --git a/tests/_data/snapshots/environment/plain_with-urls_1.2.xml.bin b/tests/_data/snapshots/environment/plain_with-urls_1.2.xml.bin index df7fea29..489e45f6 100644 --- a/tests/_data/snapshots/environment/plain_with-urls_1.2.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-urls_1.2.xml.bin @@ -24,6 +24,14 @@ packaging 23.2 Core utilities for Python packages + + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + + pkg:pypi/packaging@23.2?vcs_url=git%2Bhttps://github.com/pypa/packaging.git%40b3a5d7d68991c040615d5345bb55f61de53ba176 diff --git a/tests/_data/snapshots/environment/plain_with-urls_1.3.json.bin b/tests/_data/snapshots/environment/plain_with-urls_1.3.json.bin index fbe2c59a..8f0dfdf8 100644 --- a/tests/_data/snapshots/environment/plain_with-urls_1.3.json.bin +++ b/tests/_data/snapshots/environment/plain_with-urls_1.3.json.bin @@ -20,6 +20,18 @@ "url": "https://github.com/pypa/packaging.git#b3a5d7d68991c040615d5345bb55f61de53ba176" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + } + ], "name": "packaging", "properties": [ { diff --git a/tests/_data/snapshots/environment/plain_with-urls_1.3.xml.bin b/tests/_data/snapshots/environment/plain_with-urls_1.3.xml.bin index 4883e88a..aff81dc5 100644 --- a/tests/_data/snapshots/environment/plain_with-urls_1.3.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-urls_1.3.xml.bin @@ -27,6 +27,14 @@ packaging 23.2 Core utilities for Python packages + + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + + pkg:pypi/packaging@23.2?vcs_url=git%2Bhttps://github.com/pypa/packaging.git%40b3a5d7d68991c040615d5345bb55f61de53ba176 diff --git a/tests/_data/snapshots/environment/plain_with-urls_1.4.json.bin b/tests/_data/snapshots/environment/plain_with-urls_1.4.json.bin index f53222e6..cd06c76a 100644 --- a/tests/_data/snapshots/environment/plain_with-urls_1.4.json.bin +++ b/tests/_data/snapshots/environment/plain_with-urls_1.4.json.bin @@ -20,6 +20,18 @@ "url": "https://github.com/pypa/packaging.git#b3a5d7d68991c040615d5345bb55f61de53ba176" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + } + ], "name": "packaging", "properties": [ { diff --git a/tests/_data/snapshots/environment/plain_with-urls_1.4.xml.bin b/tests/_data/snapshots/environment/plain_with-urls_1.4.xml.bin index c52912db..f388a968 100644 --- a/tests/_data/snapshots/environment/plain_with-urls_1.4.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-urls_1.4.xml.bin @@ -54,6 +54,14 @@ packaging 23.2 Core utilities for Python packages + + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + + pkg:pypi/packaging@23.2?vcs_url=git%2Bhttps://github.com/pypa/packaging.git%40b3a5d7d68991c040615d5345bb55f61de53ba176 diff --git a/tests/_data/snapshots/environment/plain_with-urls_1.5.json.bin b/tests/_data/snapshots/environment/plain_with-urls_1.5.json.bin index 367085bf..ebef0b76 100644 --- a/tests/_data/snapshots/environment/plain_with-urls_1.5.json.bin +++ b/tests/_data/snapshots/environment/plain_with-urls_1.5.json.bin @@ -20,6 +20,18 @@ "url": "https://github.com/pypa/packaging.git#b3a5d7d68991c040615d5345bb55f61de53ba176" } ], + "licenses": [ + { + "license": { + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "name": "License :: OSI Approved :: BSD License" + } + } + ], "name": "packaging", "properties": [ { diff --git a/tests/_data/snapshots/environment/plain_with-urls_1.5.xml.bin b/tests/_data/snapshots/environment/plain_with-urls_1.5.xml.bin index ee2e587f..413bef66 100644 --- a/tests/_data/snapshots/environment/plain_with-urls_1.5.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-urls_1.5.xml.bin @@ -54,6 +54,14 @@ packaging 23.2 Core utilities for Python packages + + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + + pkg:pypi/packaging@23.2?vcs_url=git%2Bhttps://github.com/pypa/packaging.git%40b3a5d7d68991c040615d5345bb55f61de53ba176 diff --git a/tests/_data/snapshots/environment/plain_with-urls_1.6.json.bin b/tests/_data/snapshots/environment/plain_with-urls_1.6.json.bin index b0ead911..c7106498 100644 --- a/tests/_data/snapshots/environment/plain_with-urls_1.6.json.bin +++ b/tests/_data/snapshots/environment/plain_with-urls_1.6.json.bin @@ -20,6 +20,20 @@ "url": "https://github.com/pypa/packaging.git#b3a5d7d68991c040615d5345bb55f61de53ba176" } ], + "licenses": [ + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: Apache Software License" + } + }, + { + "license": { + "acknowledgement": "declared", + "name": "License :: OSI Approved :: BSD License" + } + } + ], "name": "packaging", "properties": [ { @@ -59,6 +73,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -97,6 +112,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } @@ -145,6 +161,7 @@ "licenses": [ { "license": { + "acknowledgement": "declared", "id": "MIT" } } diff --git a/tests/_data/snapshots/environment/plain_with-urls_1.6.xml.bin b/tests/_data/snapshots/environment/plain_with-urls_1.6.xml.bin index baa59f81..d79d1059 100644 --- a/tests/_data/snapshots/environment/plain_with-urls_1.6.xml.bin +++ b/tests/_data/snapshots/environment/plain_with-urls_1.6.xml.bin @@ -54,6 +54,14 @@ packaging 23.2 Core utilities for Python packages + + + License :: OSI Approved :: Apache Software License + + + License :: OSI Approved :: BSD License + + pkg:pypi/packaging@23.2?vcs_url=git%2Bhttps://github.com/pypa/packaging.git%40b3a5d7d68991c040615d5345bb55f61de53ba176 @@ -79,7 +87,7 @@ 1.16.0 Python 2 and 3 compatibility utilities - + MIT @@ -103,7 +111,7 @@ 2.0.1 A lil' TOML parser - + MIT @@ -131,7 +139,7 @@ 2.2.0 HTTP library with thread-safe connection pooling, file post, and more. - + MIT diff --git a/tests/_data/snapshots/pipenv/plain_no-deps_1.6.json.bin b/tests/_data/snapshots/pipenv/plain_no-deps_1.6.json.bin index 3e3dd692..60631689 100644 --- a/tests/_data/snapshots/pipenv/plain_no-deps_1.6.json.bin +++ b/tests/_data/snapshots/pipenv/plain_no-deps_1.6.json.bin @@ -42,6 +42,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/pipenv/plain_no-deps_1.6.xml.bin b/tests/_data/snapshots/pipenv/plain_no-deps_1.6.xml.bin index 144cdcac..8081bd9d 100644 --- a/tests/_data/snapshots/pipenv/plain_no-deps_1.6.xml.bin +++ b/tests/_data/snapshots/pipenv/plain_no-deps_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 packages with all meta, but no deps - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/poetry/plain_no-deps_lock20_1.6.json.bin b/tests/_data/snapshots/poetry/plain_no-deps_lock20_1.6.json.bin index 29702e95..5bb01672 100644 --- a/tests/_data/snapshots/poetry/plain_no-deps_lock20_1.6.json.bin +++ b/tests/_data/snapshots/poetry/plain_no-deps_lock20_1.6.json.bin @@ -42,6 +42,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/poetry/plain_no-deps_lock20_1.6.xml.bin b/tests/_data/snapshots/poetry/plain_no-deps_lock20_1.6.xml.bin index e1e47f94..92c9848f 100644 --- a/tests/_data/snapshots/poetry/plain_no-deps_lock20_1.6.xml.bin +++ b/tests/_data/snapshots/poetry/plain_no-deps_lock20_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 packages with all meta, but no deps - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/requirements/file_frozen_1.6.json.bin b/tests/_data/snapshots/requirements/file_frozen_1.6.json.bin index f4774d75..99e8c498 100644 --- a/tests/_data/snapshots/requirements/file_frozen_1.6.json.bin +++ b/tests/_data/snapshots/requirements/file_frozen_1.6.json.bin @@ -90,6 +90,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/requirements/file_frozen_1.6.xml.bin b/tests/_data/snapshots/requirements/file_frozen_1.6.xml.bin index 9ced2956..0b7b4269 100644 --- a/tests/_data/snapshots/requirements/file_frozen_1.6.xml.bin +++ b/tests/_data/snapshots/requirements/file_frozen_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 some `reuqirements.txt` a root-component with all metadata - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/requirements/file_local_1.6.json.bin b/tests/_data/snapshots/requirements/file_local_1.6.json.bin index 1cbf230e..cf80c7bf 100644 --- a/tests/_data/snapshots/requirements/file_local_1.6.json.bin +++ b/tests/_data/snapshots/requirements/file_local_1.6.json.bin @@ -147,6 +147,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/requirements/file_local_1.6.xml.bin b/tests/_data/snapshots/requirements/file_local_1.6.xml.bin index 73e9e48e..86cdaea8 100644 --- a/tests/_data/snapshots/requirements/file_local_1.6.xml.bin +++ b/tests/_data/snapshots/requirements/file_local_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 some `reuqirements.txt` a root-component with all metadata - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/requirements/file_nested_1.6.json.bin b/tests/_data/snapshots/requirements/file_nested_1.6.json.bin index f4774d75..99e8c498 100644 --- a/tests/_data/snapshots/requirements/file_nested_1.6.json.bin +++ b/tests/_data/snapshots/requirements/file_nested_1.6.json.bin @@ -90,6 +90,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/requirements/file_nested_1.6.xml.bin b/tests/_data/snapshots/requirements/file_nested_1.6.xml.bin index 9ced2956..0b7b4269 100644 --- a/tests/_data/snapshots/requirements/file_nested_1.6.xml.bin +++ b/tests/_data/snapshots/requirements/file_nested_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 some `reuqirements.txt` a root-component with all metadata - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/requirements/file_private-packages_1.6.json.bin b/tests/_data/snapshots/requirements/file_private-packages_1.6.json.bin index e0eaa5cb..4b0ad3f8 100644 --- a/tests/_data/snapshots/requirements/file_private-packages_1.6.json.bin +++ b/tests/_data/snapshots/requirements/file_private-packages_1.6.json.bin @@ -89,6 +89,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/requirements/file_private-packages_1.6.xml.bin b/tests/_data/snapshots/requirements/file_private-packages_1.6.xml.bin index 25080600..5eddae60 100644 --- a/tests/_data/snapshots/requirements/file_private-packages_1.6.xml.bin +++ b/tests/_data/snapshots/requirements/file_private-packages_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 some `reuqirements.txt` a root-component with all metadata - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/requirements/file_regression-issue448.cp1252.txt_1.6.json.bin b/tests/_data/snapshots/requirements/file_regression-issue448.cp1252.txt_1.6.json.bin index 03020d3a..893001e7 100644 --- a/tests/_data/snapshots/requirements/file_regression-issue448.cp1252.txt_1.6.json.bin +++ b/tests/_data/snapshots/requirements/file_regression-issue448.cp1252.txt_1.6.json.bin @@ -95,6 +95,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/requirements/file_regression-issue448.cp1252.txt_1.6.xml.bin b/tests/_data/snapshots/requirements/file_regression-issue448.cp1252.txt_1.6.xml.bin index 1b47f723..d7eeae40 100644 --- a/tests/_data/snapshots/requirements/file_regression-issue448.cp1252.txt_1.6.xml.bin +++ b/tests/_data/snapshots/requirements/file_regression-issue448.cp1252.txt_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 some `reuqirements.txt` a root-component with all metadata - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/requirements/file_with-comments_1.6.json.bin b/tests/_data/snapshots/requirements/file_with-comments_1.6.json.bin index d8459e14..fd8989d4 100644 --- a/tests/_data/snapshots/requirements/file_with-comments_1.6.json.bin +++ b/tests/_data/snapshots/requirements/file_with-comments_1.6.json.bin @@ -134,6 +134,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/requirements/file_with-comments_1.6.xml.bin b/tests/_data/snapshots/requirements/file_with-comments_1.6.xml.bin index 6c45c463..4e1e24ee 100644 --- a/tests/_data/snapshots/requirements/file_with-comments_1.6.xml.bin +++ b/tests/_data/snapshots/requirements/file_with-comments_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 some `reuqirements.txt` a root-component with all metadata - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/requirements/file_with-extras_1.6.json.bin b/tests/_data/snapshots/requirements/file_with-extras_1.6.json.bin index e5232b83..4474c55e 100644 --- a/tests/_data/snapshots/requirements/file_with-extras_1.6.json.bin +++ b/tests/_data/snapshots/requirements/file_with-extras_1.6.json.bin @@ -72,6 +72,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/requirements/file_with-extras_1.6.xml.bin b/tests/_data/snapshots/requirements/file_with-extras_1.6.xml.bin index a7b91234..8244f32c 100644 --- a/tests/_data/snapshots/requirements/file_with-extras_1.6.xml.bin +++ b/tests/_data/snapshots/requirements/file_with-extras_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 some `reuqirements.txt` a root-component with all metadata - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/requirements/file_with-hashes_1.6.json.bin b/tests/_data/snapshots/requirements/file_with-hashes_1.6.json.bin index 81b6effe..9cf5247f 100644 --- a/tests/_data/snapshots/requirements/file_with-hashes_1.6.json.bin +++ b/tests/_data/snapshots/requirements/file_with-hashes_1.6.json.bin @@ -173,6 +173,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/requirements/file_with-hashes_1.6.xml.bin b/tests/_data/snapshots/requirements/file_with-hashes_1.6.xml.bin index d5460962..54e1f140 100644 --- a/tests/_data/snapshots/requirements/file_with-hashes_1.6.xml.bin +++ b/tests/_data/snapshots/requirements/file_with-hashes_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 some `reuqirements.txt` a root-component with all metadata - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/requirements/file_with-urls_1.6.json.bin b/tests/_data/snapshots/requirements/file_with-urls_1.6.json.bin index 7cc50997..d8051d99 100644 --- a/tests/_data/snapshots/requirements/file_with-urls_1.6.json.bin +++ b/tests/_data/snapshots/requirements/file_with-urls_1.6.json.bin @@ -163,6 +163,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/requirements/file_with-urls_1.6.xml.bin b/tests/_data/snapshots/requirements/file_with-urls_1.6.xml.bin index 49344564..8142ee52 100644 --- a/tests/_data/snapshots/requirements/file_with-urls_1.6.xml.bin +++ b/tests/_data/snapshots/requirements/file_with-urls_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 some `reuqirements.txt` a root-component with all metadata - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/requirements/file_without-pinned-versions_1.6.json.bin b/tests/_data/snapshots/requirements/file_without-pinned-versions_1.6.json.bin index a975e8a8..f732ba3e 100644 --- a/tests/_data/snapshots/requirements/file_without-pinned-versions_1.6.json.bin +++ b/tests/_data/snapshots/requirements/file_without-pinned-versions_1.6.json.bin @@ -95,6 +95,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/requirements/file_without-pinned-versions_1.6.xml.bin b/tests/_data/snapshots/requirements/file_without-pinned-versions_1.6.xml.bin index a99fa87a..3f525eee 100644 --- a/tests/_data/snapshots/requirements/file_without-pinned-versions_1.6.xml.bin +++ b/tests/_data/snapshots/requirements/file_without-pinned-versions_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 some `reuqirements.txt` a root-component with all metadata - Apache-2.0 OR MIT + Apache-2.0 OR MIT diff --git a/tests/_data/snapshots/requirements/index_auth_frozen_1.6.json.bin b/tests/_data/snapshots/requirements/index_auth_frozen_1.6.json.bin index 36f4b3e0..8a15b4c4 100644 --- a/tests/_data/snapshots/requirements/index_auth_frozen_1.6.json.bin +++ b/tests/_data/snapshots/requirements/index_auth_frozen_1.6.json.bin @@ -130,6 +130,7 @@ ], "licenses": [ { + "acknowledgement": "declared", "expression": "Apache-2.0 OR MIT" } ], diff --git a/tests/_data/snapshots/requirements/index_auth_frozen_1.6.xml.bin b/tests/_data/snapshots/requirements/index_auth_frozen_1.6.xml.bin index c46d4b2b..4eeca36e 100644 --- a/tests/_data/snapshots/requirements/index_auth_frozen_1.6.xml.bin +++ b/tests/_data/snapshots/requirements/index_auth_frozen_1.6.xml.bin @@ -45,7 +45,7 @@ 0.1.0 some `reuqirements.txt` a root-component with all metadata - Apache-2.0 OR MIT + Apache-2.0 OR MIT From 205c15e89b117d580e32275a16b0897db8215e10 Mon Sep 17 00:00:00 2001 From: semantic-release Date: Sat, 20 Apr 2024 13:48:38 +0000 Subject: [PATCH 08/14] chore(release): 4.3.0 Automatically generated by python-semantic-release Signed-off-by: semantic-release Signed-off-by: jxdv --- CHANGELOG.md | 17 +++++++++++++++++ cyclonedx_py/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 65eaf523..ccdf20e3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,23 @@ +## v4.3.0 (2024-04-20) + +### Feature + +* feat: improve declared licenses detection (#722) + +- Add declared licenses from License Troves if not mapped to SPDX +license ID +- CycloneDX 1.6 mark licenses as "declared" + +fixes #718 + +--------- + +Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> ([`b0ae453`](https://github.com/CycloneDX/cyclonedx-python/commit/b0ae453e7dc69356ba5e1b987a6b19a31d106909)) + + ## v4.2.0 (2024-04-18) ### Feature diff --git a/cyclonedx_py/__init__.py b/cyclonedx_py/__init__.py index 5599b7a7..c4794027 100644 --- a/cyclonedx_py/__init__.py +++ b/cyclonedx_py/__init__.py @@ -15,7 +15,7 @@ # !! version is managed by `semantic_release` # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "4.2.0" # noqa:Q000 +__version__ = "4.3.0" # noqa:Q000 # There is no stable/public API. # However, you might call the stable CLI instead, like so: diff --git a/docs/conf.py b/docs/conf.py index 39f15a16..018c5b21 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -22,7 +22,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = "4.2.0" +release = "4.3.0" # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index 6281f640..f0c58d3f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -7,7 +7,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] # keep in sync with `cyclonedx_py/_internal/utils/cdx.py` name = "cyclonedx-bom" -version = "4.2.0" +version = "4.3.0" description = "CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments" authors = [ "Jan Kowalleck ", From b7975ea22574eadac8b0b9434435d9eac7ae7f48 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sat, 20 Apr 2024 16:11:37 +0200 Subject: [PATCH 09/14] docs Signed-off-by: Jan Kowalleck Signed-off-by: jxdv --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0ea641af..7da26811 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -151,8 +151,8 @@ jobs: # see https://python-semantic-release.readthedocs.io/en/latest/configuration.html?highlight=remove_dist#remove-dist - release-docker-image: - name: "Release: DockerHub & GHCR" + release-container-image: + name: "Release: DockerHub & GitHubContainerRegistry" needs: - release-PyPI if: | From f8ff29eda2cc694def4f689d710768564e68b880 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sat, 20 Apr 2024 17:07:58 +0200 Subject: [PATCH 10/14] container image label 'org.opencontainers.image.source' Signed-off-by: Jan Kowalleck --- .github/workflows/release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7da26811..b9c4a00e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -183,9 +183,10 @@ jobs: with: name: ${{ env.DIST_ARTIFACT }} path: ${{ env.DIST_DIR }}/ - - name: Build Docker Image (${{ env.VERSION }}) + - name: Build Container Image (${{ env.VERSION }}) run: > docker build -f Dockerfile + --label 'org.opencontainers.image.source=${{ github.server_url }}/${{ github.github.repository }}' --build-arg "VERSION=$VERSION" -t "$DOCKERHUB_REPO:$VERSION" -t "$DOCKERHUB_REPO:latest" From aefd5a6a2e472b31dce8d7d1b52a714ecf6b70e5 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sat, 20 Apr 2024 17:17:30 +0200 Subject: [PATCH 11/14] docker build label org.opencontainers.image.source Signed-off-by: Jan Kowalleck --- .github/workflows/docker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index fb07a89c..8dac007e 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -68,6 +68,7 @@ jobs: VERSION: ${{ steps.bump-version.outputs.version }} run: > docker build -f Dockerfile + --label 'org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}' --build-arg "VERSION=$VERSION" -t "$DOCKER_TAG" . From 3d6a7ce2225cbf6571f0fadf1de184cb39c89805 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sat, 20 Apr 2024 17:18:07 +0200 Subject: [PATCH 12/14] docker build label org.opencontainers.image.source Signed-off-by: Jan Kowalleck --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b9c4a00e..79f00f08 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -186,7 +186,7 @@ jobs: - name: Build Container Image (${{ env.VERSION }}) run: > docker build -f Dockerfile - --label 'org.opencontainers.image.source=${{ github.server_url }}/${{ github.github.repository }}' + --label 'org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}' --build-arg "VERSION=$VERSION" -t "$DOCKERHUB_REPO:$VERSION" -t "$DOCKERHUB_REPO:latest" From 6644556b5c1822e67b1000da9b5daffd6c03c7b7 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sat, 20 Apr 2024 18:00:26 +0200 Subject: [PATCH 13/14] prep ghcr release Signed-off-by: Jan Kowalleck --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 79f00f08..6953b822 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -166,7 +166,7 @@ jobs: VERSION: ${{ needs.release-PyPI.outputs.version }} ARTIFACT_DOCKER_SBOM: 'docker-image-bom' DOCKERHUB_REPO: cyclonedx/cyclonedx-python - GHCR_REPO: ${{ github.repository }} + GHCR_REPO: ghcr.io/${{ github.repository_owner }}/cyclonedx-python steps: - name: Checkout code (${{ env.TAG }}) # see https://github.com/actions/checkout @@ -234,8 +234,8 @@ jobs: uses: docker/login-action@v3 with: registry: ghcr.io - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Publish Docker Image to GHCR for version "${{ env.VERSION }}" run: docker push "$GHCR_REPO:$VERSION" - name: Publish Docker Image as "latest" From bfce1d11e49b795f9c6bb5f7c0cc4d8116c28ca5 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sat, 20 Apr 2024 18:18:12 +0200 Subject: [PATCH 14/14] Update release.yml Signed-off-by: Jan Kowalleck --- .github/workflows/release.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6953b822..ed42faed 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -216,16 +216,16 @@ jobs: path: ${{ env.REPORTS_DIR }}/*.bom.* if-no-files-found: error # publish AFTER the boms were build, as the bom-generation is kind of a test if the image works - - name: Login to Docker Hub + - name: Login to DockerHub # see hhttps://github.com/docker/login-action?tab=readme-ov-file#docker-hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Publish Docker Image for version "${{ env.VERSION }}" + - name: Publish Container Image to DockerHub for version "${{ env.VERSION }}" run: docker push "$DOCKERHUB_REPO:$VERSION" - - name: Publish Docker Image as "latest" - if: ${{ github.event.inputs.prerelease == 'false' }} + - name: Publish Container Image to DockerHub as "latest" + if: ${{ !cancelled() && github.event.inputs.prerelease == 'false' }} run: docker push "$DOCKERHUB_REPO:latest" # endregion # region publish to GHCR @@ -236,14 +236,14 @@ jobs: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Publish Docker Image to GHCR for version "${{ env.VERSION }}" + - name: Publish Container Image to GHCR for version "${{ env.VERSION }}" run: docker push "$GHCR_REPO:$VERSION" - - name: Publish Docker Image as "latest" - if: ${{ github.event.inputs.prerelease == 'false' }} + - name: Publish Container Image to GHCR as "latest" + if: ${{ !cancelled() && github.event.inputs.prerelease == 'false' }} run: docker push "$GHCR_REPO:latest" # endregion # TODO: publish all files in $REPORTS_DIR as release assets - see https://github.com/actions/upload-release-asset - - name: Destroy Docker image + - name: Destroy Container image # run regardless of outcome if: ${{ always() }} run: >