Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to CycloneDX version 1.6 #489

Closed
XSpielinbox opened this issue Apr 21, 2024 · 11 comments
Closed

Upgrade to CycloneDX version 1.6 #489

XSpielinbox opened this issue Apr 21, 2024 · 11 comments
Assignees
@thesurlydev
Labels
enhancement
Milestone
2.9.0

Comments

@XSpielinbox
Copy link

Version 1.6 of the CycloneDX spec has been released on 09 April 2024.

The spec is available at https://cyclonedx.org/docs/1.6/json/
@hboutemy
Copy link
Contributor

requires CycloneDX/cyclonedx-core-java#392

@VinodAnandan
Copy link

@XSpielinbox @hboutemy The CycloneDX Core Java version 9.00 has been released with CycloneDX 1.6 support, thanks to @mr-zepol, @stevespringett, and @nscuro for their help with this.

https://github.com/CycloneDX/cyclonedx-core-java/releases/tag/cyclonedx-core-java-9.0.0

@msymons
Copy link
Contributor

msymons commented May 23, 2024

A heads-up wrt progressing further.

cyclonedx-core-java v9.0.0 has had this issue reported: CycloneDX/cyclonedx-core-java/issues/409

It is being worked on with a fix due ASAP (thanks to @mr-zepol).

So, suggest it will be cyclonedx-core-java v9.0.1 that will be needed in order to unlock being able to add support for CycloneDX 1.6 in the maven plugin.

@msymons
Copy link
Contributor

msymons commented Jun 9, 2024

@hboutemy, with the release of cyclonedx-core-java v9.0.2 that addresses validation failures, things should now be unblocked, allowing support for CycloneDX 1.6 to be added to the maven plugin.

@hboutemy
Copy link
Contributor

@msymons ok
is there any update to the generated content we should do while changing the dependency version? Or is it just about generating a new "1.6" value to the version field?

@msymons
Copy link
Contributor

msymons commented Jun 20, 2024

@hboutemy , apologies for the slow response.

For me, there are several reasons for upgrading:

  • Support for the latest version of the specification is important for CycloneDX projects because they are reference implementations. In that sense, it does not matter if the maven plugin cannot deliver on the two new areas of 1.6 functionality: crypto and attestations. Or can it? As the maven expert you would know best on this.

  • Avoiding build-up of technical debt (or, just spotting problems earlier). I use the maven plugin extensively and all BOMs are uploaded to the latest version of Dependency-Track and the latest DT Snapshot as well... with DT also being a reference implementation for CycloneDX. DT now includes schema validation for uploaded BOMs and the Snapshot (ie, upcoming v4.12.0) does now support CycloneDX 1.6. Thus, the quicker the plugin supports CycloneDX 1.6, the quicker we can get feedback that all is looking good!

  • Upgrading core-java to 9.0.x (9.0.3 now released) offers additional functionality. Specifically, an additional SPDX Licence ID mapping. It's for MPL, so I very much look forward to the next release of the maven plugin generating a BOM that includes this mapping so that my rhino components can now be evaluated by DT license policies. If that works then I plan to submit PRs to core-java for additional (more useful) mappings.

For what it's worth, I think there is a bunch of CycloneDX 1.5 functionality is currently missing and that could/should be supported by the plugin... but that's a separate concern.

@hboutemy hboutemy added this to the 2.9.0 milestone Jun 29, 2024
@thesurlydev
Copy link

According to previous comments support for 1.6 should be unblocked. It's now months later and I'm wondering why 1.6 support hasn't been added yet. What can be done to help speed things along?

@thesurlydev
Copy link

On a whim I started making changes to support 1.6 here: https://github.com/thesurlydev/cyclonedx-maven-plugin/tree/support-1.6-spec

I think there's more work to be done and I have questions about how releases are normally tested beyond the tests in the project.

@hboutemy
Copy link
Contributor

hboutemy commented Sep 25, 2024
edited
Loading

thanks @thesurlydev for the help, really appreciated, particularly given the good work done on being exhaustive on the impact
key (and hard) impact to evaluate is updates in the spec itself to avoid using deprecated features, like we had in CDX 1.5 with #487

on discovering new features of CDX 1.6 and how the plugin could be enhanced to benefit from them, this is even a wider question

how releases are normally tested beyond the tests in the project

honestly, we don't have any official strategy yet: until now, people use after the release then complain... :/
We opened GH Discussions but did not really push anything there. We also have Slack that you found, again not really alive about coordinating community pro-active feedback

@hboutemy
Copy link
Contributor

For what it's worth, I think there is a bunch of CycloneDX 1.5 functionality is currently missing and that could/should be supported by the plugin... but that's a separate concern

@msymons I'm very interested into having issues created for each CDX 1.5 (and now 1.6) feature that could be added, then on each issue a discussion on how to implement it in a reasonable way for normal users

@thesurlydev thesurlydev mentioned this issue Sep 26, 2024
Merged
@hboutemy
Copy link
Contributor

hboutemy commented Oct 5, 2024

done in #556 by @thesurlydev : thanks a lot

@hboutemy hboutemy closed this as completed Oct 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thesurlydev thesurlydev

Labels
enhancement
Projects
None yet
Milestone
2.9.0
Development

No branches or pull requests
5 participants
@thesurlydev @hboutemy @msymons @VinodAnandan @XSpielinbox