cyclonedx-python-lib 6.0 and above breaks pip-audit

[neilkk]

$ python -c "from cyclonedx.parser import BaseParser" Traceback (most recent call last): File "", line 1, in ModuleNotFoundError: No module named 'cyclonedx.parser'

Removal PR below: https://github.com/CycloneDX/cyclonedx-python-lib/issues/489

[woodruffw]

Thanks for the report @neilkk!

This strongly suggests an upstream semver breakage. I'll continue to diagnose. This now suggests either a user error or an outdated pip-audit version. We need more information to continue to triage.

(Could you please follow the bug report template for this issue and future ones? It makes our triaging efforts significantly easier. In particular, it would help to know which specific CycloneDX version you're using.)

[woodruffw]

From a quick look, our current imports don't contain BaseParser or cyclonedx.parser:

https://github.com/pypa/pip-audit/blob/88a3f8c263f122d26d536fe481b9f1af2f9869f6/pip_audit/_format/cyclonedx.py#L10-L13

We've supported 6.0+ since https://github.com/pypa/pip-audit/pull/715, which was merged in v2.7.0: https://github.com/pypa/pip-audit/releases/tag/v2.7.0

As such, this is almost certainly not a bug in current versions of pip-audit.

[neilkk]

Sorry for the confusion, looks like we were running pip-audit v2.5.1