This is a bugfix release that ships with minimal support for the CycloneDX v1.5 specification.
Full support is being worked on and planned to be released soon. The progress may be tracked in #90.
The reason for publishing partial support like this is to allow the consumption of v1.5 BOMs, which fails with cyclonedx-go <= v0.7.1.
Warning
The default SpecVersion has been updated to SpecVersion1_5. If your application generates BOMs, and you're not ready (or willing) to distribute BOMs following the v1.5 specification yet, consider using EncodeVersion to generate output for an older version of the spec.
Changelog
Features
7128a921f3e83a43feef75bc8ab95642c236ef82: feat: raise baseline go version to 1.18 (@nscuro)
Fixes
ff719b64835af6e75dcfd6e7ff90d070f271ae07: fix: unmarshal bom on v1.5 return invalid specification version (@chen-keinan)
Building and Packaging
966c223154527621395473cc045a7672609c879f: build(deps): bump CycloneDX/gh-gomod-generate-sbom from 1.1.0 to 2.0.0 (@dependabot[bot])
1e83e8598d07b6303522cb63458be2577223f8d3: build(deps): bump actions/checkout from 3.5.0 to 3.5.1 (@dependabot[bot])
78f6593ed81da036aec671c19ea937b3a80586bf: build(deps): bump actions/checkout from 3.5.1 to 3.5.2 (@dependabot[bot])
868f6db7d03da581dbe9b6d283acd6c477529c0a: build(deps): bump actions/checkout from 3.5.2 to 3.5.3 (@dependabot[bot])
5885827e4246b82e08d37f6f0b95c6c0a4ef821b: build(deps): bump actions/setup-go from 4.0.0 to 4.0.1 (@dependabot[bot])
d772b5438430be7879f3a4e7064c1ccbdbf153a1: build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 (@dependabot[bot])
578e8621c93869b9e0368eebb619cd96c7e9e2bb: build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (@dependabot[bot])
f83e6a7c9d196eff9f99ecf8291cd4adeabce31a: build(deps): bump gitpod/workspace-go from 2be827f to 910daeb (@dependabot[bot])
cd7b23a68ff1c7467e211c9c69f9fb67c2244043: build(deps): bump gitpod/workspace-go from 910daeb to d7a41f5 (@dependabot[bot])
668553d1667110b8b34c7a4a954c3ac4707816ba: build(deps): bump gitpod/workspace-go from d7a41f5 to f37c673 (@dependabot[bot])
d9a5f8cf07fa834c02969fba2128bdb14c0865ff: build(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (@dependabot[bot])
66f96dfacf866f8d2ca686659e964fc535c72f92: build(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (@dependabot[bot])
8b51c39974573c22ba0a14ba1d5a0cd5b50c68fa: build(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (@dependabot[bot])
e44f7de374a51cd1228117d43ccedfdcbe50cd73: build(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (@dependabot[bot])
6360fe1474853e461a6af83fc6214882b4647f09: build(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (@dependabot[bot])
Others
a06990657b338db19fec11a677ea915eea2b5c74: feat(spec1-5): add initial support for spec v1.5 (@nscuro)
67a7567143eb3373099f100bbe17143239cf5d4e: feat(spec1-5): add licensing, license properties, and license bom-ref (@nscuro)
d2f3bb95bf740da7a6d36c6a1c324356afed5356: feat(spec1-5): add lifecycle support (@nscuro)
eb041b55b2eb8685a37be6f7a9c265fb6528377b: feat(spec1-5): add new component types (@nscuro)
c45ba618028d9f0cb593784e6483f4392a78ff3b: feat(spec1-5): add new external reference types (@nscuro)
d84947d74d7df97f851211bf7b72786e3583b9e3: feat(spec1-5): add support for annotations (@nscuro)
0ba04965ce8c5df710eb2a1cae1e7546ffb6321b: feat(spec1-5): bump schema to 1.5 for round-trip tests (@nscuro)
4e20914ebfc2aa80fbe0fa32650567554ebaaf49: misc(dx): add project icon for intellij and goland (@nscuro)
Commits
83031d6 Merge pull request #117 from CycloneDX/dependabot/github_actions/golangci/gol...
8b51c39 build(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0
0ed4535 Merge pull request #114 from CycloneDX/dependabot/github_actions/goreleaser/g...
6360fe1 build(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0
5c1db8e Merge pull request #113 from CycloneDX/dependabot/github_actions/actions/setu...
d772b54 build(deps): bump actions/setup-go from 4.0.1 to 4.1.0
3d592d2 Merge pull request #112 from CycloneDX/dependabot/docker/gitpod/workspace-go-...
668553d build(deps): bump gitpod/workspace-go from d7a41f5 to f37c673
fdeec7e Merge pull request #111 from CycloneDX/idea-project-icon
4e20914 misc(dx): add project icon for intellij and goland
Bumps the go-modules group with 28 updates:
1.27.10
1.28.0
0.7.1
0.7.2
4.2.0
4.2.1
1.7.0
1.7.6
2.8.2+incompatible
2.8.3+incompatible
0.7.0
0.8.0
5.4.1
5.5.0
5.6.1
5.9.0
0.15.1
0.16.1
1.3.0
1.3.1
0.3.5
0.4.0
1.16.5
1.17.0
0.0.14
0.0.15
0.5.0
0.6.0
1.1.5
1.1.9
4.1.17
4.1.18
1.9.1
1.9.3
1.2.0
1.2.1
0.5.0
0.5.3
1.9.5
1.10.0
1.5.0
1.5.1
2.11.3
2.14.1
0.21.0
0.25.0
0.11.3
0.11.5
0.13.0
0.14.0
0.12.0
0.13.0
0.3.0
0.4.0
1.57.0
1.58.2
Updates
github.com/onsi/gomega
from 1.27.10 to 1.28.0Release notes
Sourced from github.com/onsi/gomega's releases.
Changelog
Sourced from github.com/onsi/gomega's changelog.
Commits
85681d4
v1.28.00b03b36
Add VerifyHost handler to ghttp (#698)55a33f3
Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.12.0 (#693)de68e8f
Typo in matchers.go (#691)ab17f5e
Bump commonmarker from 0.23.9 to 0.23.10 in /docs (#690)5069017
chore: update test matrix for Go 1.21 (#689)babe25f
Bump golang.org/x/net from 0.12.0 to 0.14.0 (#688)18d6673
Read Body for Newer Responses in HaveHTTPBodyMatcher (#686)Updates
github.com/CycloneDX/cyclonedx-go
from 0.7.1 to 0.7.2Release notes
Sourced from github.com/CycloneDX/cyclonedx-go's releases.
Commits
83031d6
Merge pull request #117 from CycloneDX/dependabot/github_actions/golangci/gol...8b51c39
build(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.00ed4535
Merge pull request #114 from CycloneDX/dependabot/github_actions/goreleaser/g...6360fe1
build(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.05c1db8e
Merge pull request #113 from CycloneDX/dependabot/github_actions/actions/setu...d772b54
build(deps): bump actions/setup-go from 4.0.1 to 4.1.03d592d2
Merge pull request #112 from CycloneDX/dependabot/docker/gitpod/workspace-go-...668553d
build(deps): bump gitpod/workspace-go fromd7a41f5
tof37c673
fdeec7e
Merge pull request #111 from CycloneDX/idea-project-icon4e20914
misc(dx): add project icon for intellij and golandUpdates
github.com/cenkalti/backoff/v4
from 4.2.0 to 4.2.1Commits
a04a6fe
set minimum permissions for go.yamla214dad
spelling: intervalaf9bd1c
spelling: foundUpdates
github.com/containerd/containerd
from 1.7.0 to 1.7.6Release notes
Sourced from github.com/containerd/containerd's releases.
... (truncated)
Commits
091922f
Merge pull request #9085 from dmcgowan/prepare-1.7.68542d0e
Merge pull request #9069 from kiashok/portStableAbi-1.778874ec
Merge pull request #9084 from dmcgowan/backport-1.7-inherit-distribution-sources3e09c65
Prepare release notes for v1.7.65ebf05d
push: inherit distribution sources from parentd206896
content: add InfoProvider interfacef0d3109
Merge pull request #9074 from thaJeztah/1.7_update_golang_1.20.8423693d
[release/1.7] update to go1.20.8c7a35cc
Fix transfer service dependencies:38d4e50
Invoke Stable ABI compatibility function in windows platform matcherUpdates
github.com/docker/distribution
from 2.8.2+incompatible to 2.8.3+incompatibleRelease notes
Sourced from github.com/docker/distribution's releases.
Commits
4772604
Merge pull request #4088 from distribution/2.8.3-release-notesa4fa699
Add v2.8.3 release notes1eb2c30
Merge pull request #4068 from milosgajdos/2_8-dont-close-request-body5e6b1b5
Do not close HTTP request body in HTTP handler2b76378
Merge pull request #4064 from thaJeztah/2.8_backport_nodigestset29b00e8
digestset: deprecate package in favor of go-digest/digestsetd1ab243
[release/2.8] vendor: github.com/opencontainers/go-digest v1.0.011eb419
Merge pull request #4063 from thaJeztah/2.8_backport_switch_reference3dda067
deprecate reference package, migrate to github.com/distribution/referenceda05539
Merge pull request #4053 from thaJeztah/2.8_backport_set-content-type-client-...Updates
github.com/docker/docker-credential-helpers
from 0.7.0 to 0.8.0Release notes
Sourced from github.com/docker/docker-credential-helpers's releases.
Commits
8396edb
Merge pull request #297 from thaJeztah/update_go_1.20.6a3d1ffc
update go to go1.20.6c03d56c
deb: update to golang bullseye7f48455
Merge pull request #294 from thaJeztah/use_designated_domains_step1a90e3fa
secretservice: use designated domains in tests (RFC2606)ffb3232
pass: use designated domains in tests (RFC2606)1050848
client: use designated domains in tests (RFC2606)7d66ae0
osxkeychain: use designated domains in tests (RFC2606)13475b4
credentials: use designated domains in tests (RFC2606)91af1de
registryurl: use designated domains in tests (RFC2606)Updates
github.com/go-git/go-billy/v5
from 5.4.1 to 5.5.0Release notes
Sourced from github.com/go-git/go-billy/v5's releases.
Commits
5c1dfec
Merge pull request #34 from pjbgf/bump-scj3994cd7
osfs: Add WithDeduplicatePathe223a66
Bump github.com/cyphar/filepath-securejoinca80085
Merge pull request #33 from pjbgf/default74a6e60
Re-introduce osfs.Default1d4d3d3
Merge pull request #31 from pjbgf/new-osfs3c59de8
osfs: Add new BoundOS typedafe8bc
build: Bump Go to 1.19326c59f
Merge pull request #30 from pjbgf/updatesc88853b
*: Add CodeQL workflowUpdates
github.com/go-git/go-git/v5
from 5.6.1 to 5.9.0Release notes
Sourced from github.com/go-git/go-git/v5's releases.
... (truncated)
Commits
e24e0f7
*: Bump go-billy to v5.5.0ff0bd08
Merge pull request #837 from pjbgf/bumpcbbeb49
*: Bump to Go 1.19cf3a75c
*: Bump dependencies51e9c9f
Merge pull request #835 from matejrisek/feature/do-not-swallow-vcs-host-errors5ad72db
plumbing: Do not swallow http message coming from VCS providers.0377d06
Merge pull request #821 from daolis/bug/resetfix753b0d5
git: worktree, reset ignored files that are part of the worktree: Fixes #819cd3a21c
Merge pull request #832 from svghadi/CVE-2023-37788f71a449
*: Bump goproxy dep. Fixes #826Updates
github.com/google/go-containerregistry
from 0.15.1 to 0.16.1Release notes
Sourced from github.com/google/go-containerregistry's releases.
... (truncated)
Commits
a54d642
fix: pin to goreleaser v1.18 to unblock release (#1763)ea19b57
Return OCI Index content-type for referrers response (#1762)b850480
Drop localhost to support crane registry serve in a container (#1746)fe268b7
Don't try cross-origin mounting against dockerhub (#1743)2472cbb
Let the filesystem handle atomicity (#1735)db818dc
Use RWLock, limit scope of locking, write digest first (#1734)44a6e2e
Allow concurrent blob Sets, use RWMutex (#1733)9010ce1
Correct crane registry help text (#1732)03ad2ac
add --blobs-to-disk to 'crane registry serve' (#1731)4e4b03a
Don't load into daemon if the image already exists (#1724)Updates
github.com/google/uuid
from 1.3.0 to 1.3.1Release notes
Sourced from github.com/google/uuid's releases.
Changelog
Sourced from github.com/google/uuid's changelog.
Commits
b3cae7c
chore(master): release 1.3.1 (#127)7b8f57c
fix(ci): switch to release-please app (#126)e69e468
chore(ci): configure release-please, update contrib (#122)97c970d
chore(ci): add apidiff check for API compatibility (#123)53f93a8
docs: change godoc URL in README (#124)0b416df
docs: update link to RFC 4122 (#93)75e1ac5
docs: shell format go tool command (#111)Looks like these dependencies are updatable in another way, so this is no longer needed.