-
-
Notifications
You must be signed in to change notification settings - Fork 563
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Import of CycloneDX 1.6 BOMs #3584
Comments
Note that as of v4.11, uploads of BOMs with unsupported spec versions will no longer fail silently in the background. Instead, they will fail schema validation and users will get immediate feedback about it. |
Assigning to 4.12 as I am expecting the Java library to be published during the 4.12 release cycle. |
Block is removed due to release of cyclonedx-core-java v9.0.0 |
* Updates `cyclonedx-core-java` to version `9.0.0` * Bumps Jackson to version `2.17.1` to resolve compatibility issues with `cyclonedx-core-java` * Resolve various compilation errors due to refactoring in `cyclonedx-core-java` * Add validator tests for all CycloneDX versions Note that BOM exports will continue to use v1.5 for the time being. This avoids breaking users' workflows in case their tooling doesn't yet support v1.6. Closes DependencyTrack#3584 Signed-off-by: nscuro <nscuro@protonmail.com>
Had some code laying around from my initial tests with this library version. So went ahead and committed that. Raised PR #3710. |
* Updates `cyclonedx-core-java` to version `9.0.0` * Bumps Jackson to version `2.17.1` to resolve compatibility issues with `cyclonedx-core-java` * Resolve various compilation errors due to refactoring in `cyclonedx-core-java` * Add validator tests for all CycloneDX versions Note that BOM exports will continue to use v1.5 for the time being. This avoids breaking users' workflows in case their tooling doesn't yet support v1.6. Closes DependencyTrack#3584 Signed-off-by: nscuro <nscuro@protonmail.com>
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
* Updates `cyclonedx-core-java` to version `9.0.0` * Bumps Jackson to version `2.17.1` to resolve compatibility issues with `cyclonedx-core-java` * Resolve various compilation errors due to refactoring in `cyclonedx-core-java` * Add validator tests for all CycloneDX versions Note that BOM exports will continue to use v1.5 for the time being. This avoids breaking users' workflows in case their tooling doesn't yet support v1.6. Closes DependencyTrack#3584 Signed-off-by: nscuro <nscuro@protonmail.com>
* Updates `cyclonedx-core-java` to version `9.0.3` * Bumps Jackson to version `2.17.1` to resolve compatibility issues with `cyclonedx-core-java` * Resolve various compilation errors due to refactoring in `cyclonedx-core-java` * Add validator tests for all CycloneDX versions Note that BOM exports will continue to use v1.5 for the time being. This avoids breaking users' workflows in case their tooling doesn't yet support v1.6. Closes DependencyTrack#3584 Signed-off-by: nscuro <nscuro@protonmail.com>
* Updates `cyclonedx-core-java` to version `9.0.0` * Bumps Jackson to version `2.17.1` to resolve compatibility issues with `cyclonedx-core-java` * Resolve various compilation errors due to refactoring in `cyclonedx-core-java` * Add validator tests for all CycloneDX versions Note that BOM exports will continue to use v1.5 for the time being. This avoids breaking users' workflows in case their tooling doesn't yet support v1.6. Closes DependencyTrack#3584 Signed-off-by: nscuro <nscuro@protonmail.com>
Current Behavior
Dependency-Track v4.9 implemented support for the import of BOMs that are CycloneDX 1.5 or below. See #2850
CycloneDX 1.6 will be released before the end of March 2024, or in the first week of April. We will start to see tooling producing 1.6 BOMs shortly thereafter (most certainly from the cdxgen project). An attempt to import any such BOM to DT v4.10.1 would throw an error.
Proposed Behavior
Dependency-Track must be updated so that CycloneDX v1.6 BOMs can be imported without error.
The implementation of support for new functionality offered by 1.6 (CBOM. etc) is expected to be covered by other issues. This enhancement is to ensure that existing CycloneDX functionality is preserved... no errors and dependency graphs (etc) still work.
Note: We have a dependency on cyclonedx-core-java and so implementation of this enhancement is blocked until
core-java
is updated to support spec v1.6.Checklist
The text was updated successfully, but these errors were encountered: