Changelog

All notable changes to this project will be documented in this file.

unreleased

3.3.1 - 2024-05-06

  • Fixed

    • JSON validator allow arbitrary $schema value (#435 via #436)

3.3.0 - 2024-04-26

  • Changed

    • Classes \CycloneDX\Core\Serialization\{DOM,JSON}\Normalizers\LicenseNormalizer support license acknowledgement now (#428 via #429)

  • Added

    • Namespace \CycloneDX\Core\Enums

      • New enum: LicenseAcknowledgement (#428 via #429)

    • Namespace \CycloneDX\Core\Models\License

      • New methods LicenseExpression::{get,set}Acknowledgement() (#428 via #429)

      • New methods NamedLicense::{get,set}Acknowledgement() (#428 via #429)

      • New methods SpdxLicense::{get,set}Acknowledgement() (#428 via #429)

3.2.0 - 2024-04-10

Added basic support for *CycloneDX* Specification-1.6.

  • Changed

    • Method \CycloneDX\Core\Spec\SpecFactory::makeForVersion() supports CycloneDX Specification-1.6 now (#421 via #422)

    • Classes \CycloneDX\Core\Serialization\{DOM,JSON}\Normalizers\* support CycloneDX Specification-1.6 now (#421 via #422)

    • Classes \CycloneDX\Core\Validation\Validators\* support CycloneDX Specification-1.6 now (#421 via #422)

  • Added

    • Namespace \CycloneDX\Core\Enums

      • Enum ComponentType got new cases (#421 via #422)
         New: CryptographicAsset

    • Enum ExternalReferenceType got new cases (#421 via #422)
       New: SourceDistribution, ElectronicSignature, DigitalSignature, RFC9116

    • Namespace \CycloneDX\Core\Spec

      • New method SpecFactory::make1dot6() to reflect CycloneDX Specification-1.6 (#421 via #422)

      • Enum Version got new case v1dot6 to reflect CycloneDX Specification-1.6 (#421 via #422)

  • Style

    • Applied latest PHP Coding Standards (via #415)

3.1.2 - 2024-03-18

3.1.1 - 2024-02-05

3.1.0 - 2023-12-02

  • Added

    • Migration/fixup of URL(iri-reference) when normalizing to JSON (via #380)

3.0.2 - 2023-11-27

  • Misc

    • Officially support PHP 8.3 (via #265)

    • Integration tests compare against human-readable snapshots, for regression (via #371, #372)

3.0.1 - 2023-09-16

  • Fixed

    • fixed a possible JSON schema validation issue regarding “version” property (via #352)

3.0.0 - 2023-08-27

  • BREAKING

    • Interface \CycloneDX\Core\Spec\Spec was removed from public API (#344 via #345)
       This is only a breaking change if you custom-implemented this interface downstream; internal usage is non-breaking.
       This change was necessary, so that implementing more spec-features cause no breaking changes.

  • Style

    • Applied latest PHP Coding Standards (via #341)

2.3.0 - 2023-06-27

Added support for *CycloneDX* Specification-1.5.

  • Changed

    • Method \CycloneDX\Core\Spec\SpecFactory::makeForVersion() supports CycloneDX Specification-1.5 now (#193 via #255)

    • Classes \CycloneDX\Core\Serialization\{DOM,JSON}\Normalizers\* support CycloneDX Specification-1.5 now (#193 via #255)

    • Classes \CycloneDX\Core\Validation\Validators\* support CycloneDX Specification-1.5 now (#193 via #255)

  • Added

    • Namespace \CycloneDX\Core\Enums

      • Enum ComponentType got new cases (#193 via #255)
         New: Data, DeviceDriver, MachineLearningModel, Platform

      • Enum ExternalReferenceType got new cases (#193 via #255)
         New: AdversaryModel, Attestation, CertificationReport, CodifiedInfrastructure, ComponentAnalysisReport, Configuration, DistributionIntake, DynamicAnalysisReport, Evidence, ExploitabilityStatement, Formulation, Log, MaturityReport, ModelCard, POAM, PentestReport, QualityMetrics, RiskAssessment, RuntimeAnalysisReport, SecurityContact, StaticAnalysisReport, ThreatModel, VulnerabilityAssertion

    • Namespace \CycloneDX\Core\Spec

      • New method SpecFactory::make1dot5() to reflect CycloneDX Specification-1.5 (#193 via #255)

      • Enum Version got new case v1dot5 to reflect CycloneDX Specification-1.5 (#193 via #255)

  • Misc

    • Added functional and integration tests for CycloneDX Specification-1.5 (#193 via #255)

    • Fetched latest stable schema definition files for offline usage (via #255)

2.2.0 - 2023-06-02

  • Changed

    • Class \CycloneDX\Core\Serialization\JsonSerializer

      • Property normalizerFactory became protected readonly, was private readonly (#305 via #306)

      • Property jsonEncodeFlags became protected readonly, was private readonly (#305 via #306)

    • Class \CycloneDX\Core\Serialization\XmlSerializer

      • Property normalizerFactory became protected readonly, was private readonly (#305 via #306)

      • Property xmlVersion became protected readonly, was private readonly (#305 via #306)

      • Property xmlEncoding became protected readonly, was private readonly (#305 via #306)

  • Style

    • Applied latest PHP Coding Standards (via #302)
       Some parameters allow nullables implicitly, was explicitly.

    • Wrote some class properties with constructor promotion (via #309)

2.1.2 - 2023-04-05

  • Fixed

    • \CycloneDX\Core\Serialization\{DOM,JSON}\Normalizers\LicenseRepositoryNormalizer::normalize() now omits invalid license combinations (#285 via #290)
       If there is any LicenseExpression, then this is the only license normalized; otherwise all licenses are normalized.

  • Docs

    • Fixed link to CycloneDX-specification in README (via #288)

2.1.1 - 2023-03-28

  • Docs

    • Announce and annotate the generator for BOM’s SerialNumber (#277 via #282)

2.1.0 - 2023-03-24

  • Fixed

    • “Bom.serialNumber” data model can have values following the alternative format allowed in CycloneDX XML specification (#277 via #278)

    • \CycloneDX\Core\Serialization\{DOM,JSON}\Normalizers\BomNormalizer::normalize() now omits invalid/unsupported values for serialNumber (#277 via #278)

  • Changed

    • \CycloneDX\Core\Models\Bom::setSerialNumber() no longer throws \DomainException when the value is of an unsupported format (#277 via #278)
       This is considered a non-breaking behaviour change, because the corresponding normalizers assure valid data results.

  • Added

    • Published generator for BOM’s SerialNumber: \CycloneDX\Core\Utils\BomUtility::randomSerialNumber() (#277 via #278)
       The code was donated from cyclonedx-php-composer.

2.0.0 - 2023-03-20

  • BREAKING

    • Removed support for PHP v7.3 (#6 via #125)

    • Removed support for PHP v7.4 (#114 via #125)

    • Removed support for PHP v8.0 (via #204)

    • Changed models’ aggregation properties to be no longer optional (#66 via #131)

    • Changed models to be less restrictive (#247 via #249)

    • Streamlined repository data structures to follow a common method naming scheme (via #131)

    • Enumeration-like classes were converted to native PHP Enumerations (#140, #256 via #204, #257)

  • Added

  • Misc

    • All class properties now enforce the correct types (#6, #114 via #125)
       This is considered a non-breaking change, because the types were already correctly annotated.

    • Migrated internals to PHP8 language features (#114 via #125)

API changes v2 - the details

  • Overall

    • BREAKING: enforced the use of concrete UnionTypes instead of protocols/interfaces/abstracts (#114 via #125)
       Affected the usages of no longer public \CycloneDX\Core\Models\License\AbstractDisjunctiveLicense and methods that used license-related classes. This was possible due to PHP8’s UnionType language feature.

    • Changed some methods to no longer throw \InvalidArgumentException (via #125)
       PhpDoc annotations were updated, so that code analysis tools should pick up. This was possible by enforcing correct typing on PHP8 language level.

    • BREAKING: every occurrence of {M,m}etaData with a capital “D” was renamed to {M,m}etadata with a small “d” (#133 via #131, #149)
       This affects class names, method names, variable names, property names, file names, documentation - everything.

  • \CycloneDX\Core\Collections namespace

    • Added new class CopyrightRepository (#238 via #241)

    • Added new class PropertyRepository (#228 via #165)

  • \CycloneDX\Core\Enum namespace

    • Classification class

      • BREAKING: renamed class to ComponentType (via #170)

      • BREAKING: became a native PHP Enumeration type (#140 via #204)

      • BREAKING: all const converted to case with UpperCamelCase naming scheme (#256 via #257)

      • BREAKING: method isValidValue() was removed (via #204)

    • ExternalReferenceType class

      • BREAKING: became a native PHP Enumeration type (#140 via #204)

      • BREAKING: all const converted to case with UpperCamelCase naming scheme (#256 via #257)

      • BREAKING: method isValidValue() was removed (via #204)

      • Added case RELEASE_NOTES to reflect CycloneDX v1.4 (#57 via #65)

    • HashAlgorithm class

      • BREAKING: became a native PHP Enumeration type (#140 via #204)

      • BREAKING: all const converted to case with UpperCamelCase naming scheme (#256 via #257)

      • BREAKING: method isValidValue() was removed (via #204)

  • CycloneDX\Core\Factories namespace

    • LicenseFactory class

      • BREAKING: check whether something is a valid SPDX Expression is now complete, was best effort implementation (#247 via #249)
         This affects all methods that potentially would create LicenseExpression models.
         Utilizes ``composer/spdx-licenses` <https://packagist.org/packages/composer/spdx-licenses>`_.

      • BREAKING: changed constructor method __construct() (via #249)

      • BREAKING: removed method makeDisjunctiveFromExpression() (#163 vial #166)

      • BREAKING: removed method setSpdxLicenseValidator() (via #249)

      • BREAKING: renamed method getSpdxLicenseValidator() -> getLicenseIdentifiers() (via #249)

      • BREAKING: renamed method makeDisjunctiveWithId() -> makeSpdxLicense() (#164 vial #168)

      • BREAKING: renamed method makeDisjunctiveWithName() -> makeNamedLicense() (#164 vial #168)

      • Added new method getSpdxLicenses() (via #249)

  • \CycloneDX\Core\Models namespace

    • Bom class

      • BREAKING: changed constructor to no longer accept components (#187 via #188)

      • BREAKING: renamed methods {get,set}ComponentRepository() -> {get,set}Components() (#133 via #131)

      • BREAKING: renamed methods {get,set}ExternalReferenceRepository() -> {get,set}ExternalReferences() (#133 via #131)
         Also changed parameter & return type to non-nullable, was nullable (#66 via #131)

      • BREAKING: renamed methods {get,set}MetaData() -> {get,set}Metadata() (#133 via #131)
         Also changed parameter & return type to non-nullable, was nullable (#66 via #131)

      • Added new methods {get,set}Properties() (#228 via #229)

      • Added new methods {get,set}SerialNumber() (via #186)

    • Component class

      • BREAKING: renamed methods {get,set}DependenciesBomRefRepository() -> {get,set}Dependencies() (#133 via #131)
         Also changed parameter & return type to non-nullable, was nullable (#66 via #131)

      • BREAKING: renamed methods {get,set}ExternalReferenceRepository() -> {get,set}ExternalReferences() (#133 via #131)
         Also changed parameter & return type to non-nullable, was nullable (#66 via #131)

      • BREAKING: renamed methods {get,set}HashRepository() -> {get,set}Hashes() (#133 via #131)
         Also changed parameter & return type to non-nullable, was nullable (#66 via #131)

      • BREAKING: renamed methods {get,set}License() -> {get,set}Licenses() (via #131)
         Also changed it work with class LicenseRepository only, was working with various Models\License\* types (#66 via #131)

      • BREAKING: changed class property version to be optional, to reflect CycloneDX v1.4 (#27 via #118, #131)
         This affects constructor arguments, and affects methods {get,set}Version().

      • BREAKING: changed property type to be of type \CycloneDX\Core\Enum\ComponentType (#140 via #204)
         This affects constructor arguments, and affects methods {get,set}Type().

      • Added new methods {get,set}Author() ([#184] via #185)

      • Added new methods {get,set}Copyright() (#238 via #239)

      • Added new methods {get,set}Evidence() (#238 via #241)

      • Added new methods {get,set}Properties() (#228 via #165)

    • Added new class ComponentEvidence (#238 via #241)

    • ExternalReference class

      • BREAKING: renamed methods {get,set}HashRepository() -> {get,set}Hashes() (#133 via #131)
         Also changed parameter & return type to non-nullable, was nullable (#66 via #131)

      • BREAKING: changed property type to be of type \CycloneDX\Core\Enum\ExternalReferenceType (#140 via #204)
         This affects constructor arguments, and affects methods {get,set}Type().

    • Licenses namespace

      • AbstractDisjunctiveLicense

        • BREAKING: removed this class (via #125, #131)

      • DisjunctiveLicenseWithName class

        • BREAKING: renamed class to NamedLicense (#164 via #168)

      • DisjunctiveLicenseWithId class

        • BREAKING: renamed class to SpdxLicense (#164 via #168)

        • BREAKING: removed factory method makeValidated() (#247 via #249) To assert valid values use \CycloneDX\Core\Factories\LicenseFactory::makeSpdxLicense().

        • Changed: constructor __construct() is public now, was private (#247 via #249)

        • Added new method setId() (#247 via #249)

      • LicenseExpression class

        • BREAKING: constructor __construct() and method setExpression() no longer do validation, but only assert that the parameter is no empty string (#247 ia #249)
           To assert valid values use \CycloneDX\Core\Factories\LicenseFactory::makeExpression().

        • BREAKING: removed method isValid() (#247 via #249)

    • MetaData class

      • BREAKING: renamed class to Metadata (#133 via #131)
         Even though PHP is case-insensitive with class names, autoloaders may be case-sensitive. Therefore, this is considered a breaking change.

      • BREAKING: changed methods {get,set}Tools() so that their parameter & return type is non-nullable, was nullable (#66 via #131)

      • Added new methods {get,set}Properties() (#228 via #165)

      • Added new methods {get,set}Timestamp() (via #180, #181)

    • Added new class Property (#228 via #165)

    • Tool class

      • BREAKING: renamed methods {get,set}ExternalReferenceRepository() -> {get,set}ExternalReferences() (#133 via #131)
         Also changed parameter & return type to non-nullable, was nullable (#66 via #131)

      • BREAKING: renamed methods {get,set}HashRepository() -> {get,set}Hashes() (#133 via #131)
         Also changed parameter & return type to non-nullable, was nullable (#66 via #131)

  • \CycloneDX\Core\Repositories namespace

    • Overall:

      • BREAKING: renamed the namespace to \CycloneDX\Core\Collections (#133 via #131)

      • BREAKING: streamlined all classes, renamed all getters to getItems() and all setters to setItems() (#133 via #131)
         In addition, the method arguments were renamed to generic $items.

    • DisjunctiveLicenseRepository class

      • BREAKING: renamed the class to \CycloneDX\Core\Collections\LicenseRepository (via #131)

      • BREAKING: added the capability to also aggregate instances of class Models\LicenseExpression (via #131)
         Therefore, various getters and setters and the constructor changed their signatures, was usage of \CycloneDX\Core\Models\License\AbstractDisjunctiveLicense only.

    • HashRepository class

      • BREAKING: renamed to \CycloneDX\Core\Collections\HashDictionary (#133 via #131)

      • BREAKING: renamed all methods and changed all method signatures to match the overall streamlined scheme (#133 via #131)

      • BREAKING: changed all method signatures to enable handling of native PHP Enumeration type \CycloneDX\Core\Enum\HashAlgorithm (#140 via #204)

  • \CycloneDX\Core\Serialize namespace

    • Overall

      • BREAKING: renamed namespace to Serialization (#5 via #146)

    • SerializerInterface interface

      • BREAKING: renamed to Serializer (#133 via #155)

      • BREAKING: method serialize() got a new optional parameter $prettyPrint (via #155)

      • BREAKING: method serialize() may throw \Throwable, was \Exception (via #253)

    • BaseSerializer abstract class

      • BREAKING: complete redesign (via #155)

    • {Json,Xml}Serializer class

      • BREAKING: complete redesign (via #155)

    • {DOM,JSON}\NormalizerFactory classes

      • BREAKING: removed method makeForLicenseExpression() (via #131)

      • BREAKING: removed method makeForDisjunctiveLicense() (via #131)

      • BREAKING: removed method makeForDisjunctiveLicenseRepository() (via #131)

      • BREAKING: removed method makeForHashRepositonary() - use makeForHashDictionary() instead (#133 via #131)

      • BREAKING: removed method setSpec() (via #131)

      • Added new method makeForComponentEvidence() (#238 via #241)

      • Added new method makeForHashDictionary() (#133 via #131)

      • Added new method makeForLicense() (via #131)

      • Added new method makeForLicenseRepository() (via #131)

    • {DOM,JSON}\Normalizers namespaces

      • BREAKING: removed classes DisjunctiveLicenseNormalizer - use LicenseNormalizer instead (via #131)

      • BREAKING: removed classes LicenseExpressionNormalizer - use LicenseNormalizer instead (via #131)

      • BREAKING: removed classes DisjunctiveLicenseRepositoryNormalizer (via #131)

      • BREAKING: renamed classes HashRepositoryNormalizer -> HashDictionaryNormalizer (#133 via #131)
         Also changed signatures to accept Models\HashDictionary instead of Models\HashRepository

      • BREAKING: changed signatures of class HashNormalizer to accept native PHP Enumeration type \CycloneDX\Core\Enum\HashAlgorithm (#140 via #204)

      • Added new classes ComponentEvidenceNormalizer that can normalize ComponentEvidence (#238 via #241)

      • Added new classes LicenseNormalizer that can normalize every existing license model (via #131)

      • Added new classes LicenseRepositoryNormalizer that can normalize LicenseRepository (via #131)

      • ExternalReferenceNormalizer classes

        • Changed the method normalize() to actually throw \DomainException when \ExternalReference‘s type was not supported by the spec (via #65)
           This is considered a non-breaking change, because the behaviour was already documented in the API, even though there was no need for an implementation before.

      • ExternalReferenceNormalizer classes

        • Changed, so that it tries to convert unsupported types to “other”, before it throws a \DomainException (#137 via #147)

    • JSON\Normalizers\BomNormalizer class

      • Changed: method normalize()‘s result data may contain the $schema string (via #155)

    • JSON\Normalizers\ExternalReferenceNormalizer class

      • BREAKING: method normalize() may throw \UnexpectedValueException when the url is invalid to format “ini-reference” (via #151)

  • \CycloneDX\Core\Spdx namespace

    • BREAKING: renamed the class License -> LicenseIdentifiers (#133 via #143, #249)

    • BREAKING: renamed method getLicense() -> fixLicense() (via #249)

    • BREAKING: renamed method getLicenses() -> getKnownLicenses(), and removed keys from return value (via #249)

    • BREAKING: renamed method validate() -> isKnownLicense() (via #249)

  • \CycloneDX\Core\Spec namespace

    • BREAKING: completely reworked everything (#139 via #142, #174, #204)
       See the code base for references

  • \CycloneDX\Core\Validation namespace

    • BaseValidator class

      • BREAKING: removed deprecated method setSpec() (via #144)

    • ValidatorInterface interface

      • BREAKING: renamed interface to Validator (#133 via #143)

      • Removed specification of constructor __construct() (via #253)

      • Removed specification of method getSpec() (via #253)

    • Validators\{Json,JsonStrict,Xml}Validator classes

      • Added support for CycloneDX v1.4 (#57 via #65)

    • Validators\{Json,JsonStrict}Validator classes

      • Utilizes a much more competent validation library than before (#80 via #151)

1.6.3 - 2022-09-15

Maintenance Release.

  • Legal:

    • Transferred copyright to OWASP Foundation. (via #121)

1.6.2 - 2022-09-12

Maintenance release.

  • Docs:

    • Added “Responsibilities”, “Capabilities” and “Usage” sections to README. (via #115)

1.6.1 - 2022-08-16

  • Maintenance release.

1.6.0 - 2022-08-03

1.5.0 - 2022-03-08

1.4.2 - 2022-02-05

  • Fixed

    • Return type of CycloneDX\Core\Serialize\SerializerInterface::serialize() and implementations/usage are documented as non-empty-string, were undocumented string before. (via #70)

1.4.1 - 2022-01-31

  • Fixed

    • CycloneDX\Core\Validation\ValidatorInterface::validateString() and implementations are documented as non-empty-string, were undocumented string before. (via #63)

1.4.0 - 2021-12-20

  • Added

    • Resulting JSON files hold the correct $schema. (#43 via #42)

1.3.1 - 2021-12-03

  • Fixed

    • XML serializer & DOM normalizer no longer generate invalid XML::anyURI. (via #34)

1.3.0 - 2021-12-01

  • Changed

    • JSON result does no longer have slashes escaped in strings. (via #33)
       Old: "http:\/\/exampe.com"
       New: "http://exampe.com"

1.2.0 - 2021-11-29

  • Added

    • Prevention of information-loss on metadata-component’s ExternalReferences, when normalizing to a specification that does not support bom.metadata (via #26)

1.1.0 - 2021-11-25

  • Added

    • Support for ExternalReferences in BOM and Component (via #17)

1.0.3 - 2021-11-15

  • Fixed

    • CycloneDX\Core\Models\License\AbstractDisjunctiveLicense::setUrl() no longer restricts the argument to be a valid URL.
       Per schema definition licenseType.url should be a URI, not a URL. See #18

  • Changed

    • CycloneDX\Core\Models\License\AbstractDisjunctiveLicense::setUrl() no longer throws InvalidArgumentException

      if the argument is not a URL (via #19)

1.0.2 - 2021-10-30

  • Fixed

    • Psalm-annotation of CycloneDX\Core\Enums\Classification::isValidValue() (via #10)

1.0.1 - 2021-10-23

Removed composer’s conflict constraint.
 This was done to enable some workflows with package forks/mirrors that don’t have proper version detection. See #9

1.0.0 - 2021-10-07

Initial release.
 Split the library from `/src/Core`` of cyclonedx-php-composer (346e6200fb2f5086061b15c2ee44f540893ce97d) <https://github.com/CycloneDX/cyclonedx-php-composer/tree/346e6200fb2f5086061b15c2ee44f540893ce97d/src/Core>`_