feat!: default to CDX1.5 (#441)

---------

Signed-off-by: Jan Kowalleck <[email protected]>

HISTORY.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 
 ## unreleased
 
+* BREAKING changes
+  * CLI switch `--spec-version` defaults to `1.5`, was `1.4` (via [#441])
+* Dependencies
+    * Raised dependency `cyclonedx/cyclonedx-library:^3.1`, was `:^2.3 || ^3.0` (via [#441])
+
+[#441]: https://github.com/CycloneDX/cyclonedx-php-composer/pull/441
+
 ## 4.2.3 - 2023-11-27
 
 * Misc
@@ -169,8 +176,8 @@ Maintenance Release.
 
 ## 3.10.0 - 2022-04-02
 
-* Changed
-  * Raised dependency `cyclonedx/cyclonedx-library:^1.4.2`, was `cyclonedx/cyclonedx-library:^1.3.1`. (via [#192])
+* Dependencies
+  * Raised dependency `cyclonedx/cyclonedx-library:^1.4.2`, was `:^1.3.1`. (via [#192])
 * Misc
   * Adjusted internal typing and typehints. (via [#192])
   * Improved compatibility to Composer v2.3 (via [#212])

README.md

@@ -71,7 +71,7 @@ Options:
       --omit=OMIT                                     Omit dependency types.
                                                       {choices: "dev", "plugin"} (multiple values allowed)
       --spec-version=SPEC-VERSION                     Which version of CycloneDX spec to use.
-                                                      {choices: "1.1", "1.2", "1.3", "1.4", "1.5"} [default: "1.4"]
+                                                      {choices: "1.1", "1.2", "1.3", "1.4", "1.5"} [default: "1.5"]
       --output-reproducible|--no-output-reproducible  Whether to go the extra mile and make the output reproducible.
                                                       This might result in loss of time- and random-based-values.
       --validate|--no-validate                        Formal validate the resulting BOM.

composer.json

@@ -39,7 +39,7 @@
     "require": {
         "php": "^8.1",
         "composer-plugin-api": "^2.3",
-        "cyclonedx/cyclonedx-library": "^2.3 || ^3.0",
+        "cyclonedx/cyclonedx-library": "^3.1",
         "package-url/packageurl-php": "^1.0"
     },
     "require-dev": {

src/_internal/MakeBom/Options.php

@@ -100,9 +100,9 @@ class Options
      * @psalm-var array<string, Version>
      */
     private const VALUE_SPEC_VERSION_MAP = [
-        '1.4' => Version::v1dot4,
-        // first in list is the default value - see constructor
         '1.5' => Version::v1dot5,
+        // first in list is the default value - see constructor
+        '1.4' => Version::v1dot4,
         '1.3' => Version::v1dot3,
         '1.2' => Version::v1dot2,
         '1.1' => Version::v1dot1,

tests/Integration/CommandMakeSbomTest.php

@@ -61,14 +61,14 @@ public function testFile(array $input, string $expectedOutput): void
 
     public static function dp(): Generator
     {
-        yield 'not reproducible defaults to XML 1.4 with serialnumber' => [
+        yield 'not reproducible defaults to XML 1.5 with serialnumber' => [
             ['--output-reproducible' => false],
-            '<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1" serialNumber="',
+            '<bom xmlns="http://cyclonedx.org/schema/bom/1.5" version="1" serialNumber="',
         ];
-        yield 'reproducible defaults to XML 1.4 with no serial number nor timestamp' => [
+        yield 'reproducible defaults to XML 1.5 with no serial number nor timestamp' => [
             ['--output-reproducible' => true],
             <<<'XML'
-                <bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
+                <bom xmlns="http://cyclonedx.org/schema/bom/1.5" version="1">
                   <metadata>
                     <tools>
                 XML,

tests/Unit/MakeBom/OptionsTest.php

@@ -62,7 +62,7 @@ public static function dpProducesOption(): Generator
                 'outputFormat' => Format::XML,
                 'outputFile' => Options::VALUE_OUTPUT_FILE_STDOUT,
                 'omit' => [],
-                'specVersion' => Version::v1dot4,
+                'specVersion' => Version::v1dot5,
                 'validate' => true,
                 'mainComponentVersion' => null,
                 'composerFile' => null,