Merge branch 'main' into martin/fix-github-tag-matching

sw360 · Jan 29, 2025 · d05917c · d05917c
2 parents 94a8125 + 9924eaf
commit d05917c
Show file tree

Hide file tree

Showing 22 changed files with 4,890 additions and 2,842 deletions.
diff --git a/.github/workflows/static-checks.yml b/.github/workflows/static-checks.yml
@@ -43,8 +43,7 @@ jobs:
         # stop the build if there are Python syntax errors or undefined names
         poetry run flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
 
-        # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-        poetry run flake8 . --count --exit-zero --max-line-length=127 --statistics
+        poetry run flake8 . --count --statistics
 
     - name: Run isort
       run: |

diff --git a/ChangeLog.md b/ChangeLog.md
@@ -7,11 +7,31 @@
 
 ## NEXT
 
+* fix for `bom findsources` for some JavaScript SBOMs.
+* `bom show` command also lists purl and source code download url in verbose mode.  
+  If one of the values is missing and `--forceerror` has been specified, error code 97 is returned.
+* `bom show` command also lists license information in verbose mode, but
+  only for CycloneDX 1.6 and later.
+* `bom validate` now also uses `-v` and `--forceerror` and uses the same `bom show` functionality
+  to check for missing purl or source code url.
+* until version 2.6.0, `project create` always set the Project Mainline State of a project release either
+  to SPECIFIC of to the value given by `-pms`. Now **existing** Project Mainline States are kept.
+* `project create` has a new parameter `--copy_from` which allows to first create a copy of the given
+  project and then update the releases based on the contents of the given SBOM.
+* fix for `bom map` losing SBOM items when it tries to map to invalid SW360 releases.
+* fix issue with setting external references (in `bom granularity`).
+
+## 2.6.0
+
 * `bom merge` improved: the dependencies are reconstructed, i.e. all dependencies
   that existed in the SBOMs before the merge should also exist after the merge.
 * `bom convert` improved: we can now convert from and to CycloneDX XML.
-* new command `bom validate` to do a siple validation whether a given SBOM
+* new command `bom validate` to do a simple validation whether a given SBOM
   complies with the CycloneDX spec version 1.4, 1.5 or 1.6.
+* `bom findsources`: programming language can be `golang` or `go`.
+* support for the new CyCloneDX 1.6 external reference type `source-distribution`
+  when trying to find the source code for a component.
+* Dependency updates.
 
 ## 2.6.0.dev1
 

diff --git a/DUMP.TXT b/DUMP.TXT
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,23 @@
+FROM python:3.12-slim
+
+ARG VERSION
+
+ARG MY_PATH=/opt/capycli
+ARG MY_VENV=${MY_PATH}/venv
+
+RUN mkdir -p "${MY_PATH}"
+RUN python -m venv --without-pip "${MY_VENV}"
+ENV VIRTUAL_ENV=${MY_VENV}
+ENV PATH=${VIRTUAL_ENV}/bin:${PATH}
+
+COPY ./dist ${MY_PATH}/dist
+RUN pip --python "${MY_VENV}" \
+   install --no-cache-dir --no-input --progress-bar=off \
+   --verbose --debug \
+   --prefix "${MY_VENV}" --require-virtualenv \
+   --compile \
+   "capycli==${VERSION}" --find-links "file://${MY_PATH}/dist"
+RUN rm -rf ${MY_PATH}/dist
+
+# reset entrypoint
+ENTRYPOINT []
diff --git a/Readme.md b/Readme.md
@@ -145,7 +145,8 @@ Options:
 These options are not available for all commands. At the moment
 
 * `--forceexit` applies only to the `project vulnerabilities` command.
-* `--forceerror` applies only to the `project prerequisites` and `project getlicenseinfo` commands.
+* `--forceerror` applies only to the commands `project prerequisites`, `project getlicenseinfo`  
+   and `bom show`.
 
 ## Use Cases