v2.6.0

2.6.0

• bom merge improved: the dependencies are reconstructed, i.e. all dependencies
  that existed in the SBOMs before the merge should also exist after the merge.
• bom convert improved: we can now convert from and to CycloneDX XML.
• new command bom validate to do a simple validation whether a given SBOM
  complies with the CycloneDX spec version 1.4, 1.5 or 1.6.
• bom findsources: programming language can be golang or go.
• support for the new CyCloneDX 1.6 external reference type source-distribution
  when trying to find the source code for a component.
• Dependency updates.

2.6.0.dev1

• make findsources more resilient against SW360 issues.
• project createbom now stores multiple purls in the property "purl_list" instead of
  trying to encode them in a strange way in the "purl" field.
• support CycloneDX 1.6 and Siemens Standard BOM 3.
• bom createcomponents: attachment upload is now more robust to prevent .git files being uploaded.
• granularity list extended.
• dependency updates.
• getdependencies python can now detect and ignore dev dependencies also for new versions
  of the poetry.lock file. This is done by using also the information of the pyproject.toml file.
• add documentation for SBOM filtering.

v2.5.1

2.5.1 (2024-10-16)

• fix: urls coming from granularity file are repository urls and not source code
  download urls.
• fix wrong variable to correct bom findsources.
• fix loading of SBOMs that support different kinds of licenses.
• run unit tests also for Python 3.12 and 3.13.

v2.5.0

2.5.0

• Fixed an error when creating an SBOM from a project on SW360 when this project
  contains a component with more than one package-url.
• Fixed an issues when getting invalid package-urls.
• New flag -pms or --project-mainline-state to specify which project mainline state
  should be used for releases of a new project created by project create.
• Dependency updates.

v2.4.0

2.4.0 (2024-04-22)

• CaPyCLI is more resilient when accessing SW360.
• Dependency updates:
  • idna 3.6 => 3.7 to fix a security vulnerability
  • sw360 1.4.1 -> 1.5.0 to have an improved session handling for all api requests.

v2.3.0

2.3.0 (2024-04-05)

• Have an updated granularity list.
• New feature that adds a flag force error to project prerequisites to exit the application
  with an error code in case of a failed prerequisites check.
• The flag force error is also available for project getlicenseinfo and results in an error
  code if a CLI file is missing.

v2.2.0

2.2.0 (2024-02-20)

• getdependencies javascript can now handle package-lock.json files of version 3.
• bom findsources can do source URL discovery using sw360 lookup, perform extensive
  GitLab deep search, and adapt search strategy based on diverse programming languages.
• Have type support.

Prerelease v2.2.0.dev1

2.2.0 (2024-01-28)

• getdependencies javascript can now handle package-lock.json files of version 3.
• bom findsources can do source URL discovery using sw360 lookup, perform extensive
  GitLab deep search, and adapt search strategy based on diverse programming languages.
• Have type support.

v2.0.0

2.0.0 (2023-06-02)

This is the list of changes from version 1.9.1 to 2.0.0:

• breaking changes

  • new command bom convert to import and export SBOM in mutiple formats.
    This new command replaces bom fromCSV, bom FromFlatFist, bom FromSbom,
    bom ToHtml and bom ToSbom.
  • bom sort is discontinued, CycloneDX SBOMs are always sorted by component name.
  • The option -source of GetDependencies python is discontinued, please use
    bom downloadsources instead.
  • project show writes the output file only in plain JSON and not CycloneDX.
  • project CreateReadme requires new entries in readme_oss_config.json to be independent
    of the name Siemens
    • CompanyName
    • CompanyAddressN, N = 1..4
  • bom map now uses alphanumeric identifier for mapping instead of integer values:
    • INVALID: 0-invalid instead of 0
    • FULL_MATCH_BY_ID: 1-full-match-by-id instead of 1
    • FULL_MATCH_BY_HASH: 2-full-match-by-hash instead of 2
    • FULL_MATCH_BY_NAME_AND_VERSION: 3-full-match-by-name-and-version instead of 3
    • MATCH_BY_FILENAME: 4-good-match-by-filename instead of 4
    • MATCH_BY_NAME: 5-candidate-match-by-name instead of 5
    • SIMILAR_COMPONENT_FOUND: 6-candidate-match-similar-component instead of 6
    • NO_MATCH: 9-no-match instead of 100
  • bom map now uses alphanumeric identifier for map modes (-m) instead of integer values:
    • all instead of 0
    • found instead of 1
    • notfound instead of 2
  • dropped support for option -stage. The SW360 server instance can get specified via the -url parameter.
  • The hard coded address https://sw360.siemens.com has been removed.
    CaPyCLI reads the SW360 server address either from the environment variable SW360ServerUrl or
    via the -url parameter.
  • CaPyCLI supports an optional config file .capycli.cfg. Settings defined in the config file
    supersede settings in environment variables. Command line parameters supersede config file settings.
  • bom map will report matches by name, but different version only if -all has been specified.
    The original idea of CaPyCLI was to report as many potential matches as possible and to let the user
    decide which match to take by editing the SBOM. But it seems that many users did not read the documentation
    and the expectations were different. Therefore the default behavior has been changed.
    The original behavior of versions prior to 2.x can be enabled via the -all switch.

• Enhancements

  • Have an updated granularity list.
  • A list of frequently asked questions has been added.
  • getdependencies python now also accepts a Poetry lock file (must be poetry.lock) as input.
    Development dependencies are automatically excluded.
  • Code of conduct added.
  • Warnings about multiple purls entries when running bom map are now only shown if -v has been specified.
  • The cache functionality of bom map also supports the staging system.
  • project GetLicenseInfo can take over data from existing Readme_OSS config files.

Prerelease 2.0.0.dev8

2.0.0.dev (2023-05-19)

• breaking changes
  • new command bom convert to import and export SBOM in mutiple formats.
    This new command replaces bom fromCSV, bom FromFlatFist, bom FromSbom,
    bom ToHtml and bom ToSbom.
  • bom sort is discontinued, CycloneDX SBOMs are always sorted by component name.
  • The option -source of GetDependencies python is discontinued, please use
    bom downloadsources instead.
  • project show writes the output file only in plain JSON and not CycloneDX.
  • project CreateReadme requires new entries in readme_oss_config.json to be independent
    of the name Siemens
    • CompanyName
    • CompanyAddressN, N = 1..4
  • bom map now uses alphanumeric identifier for mapping instead of integer values:
    • INVALID: 0-invalid instead of 0
    • FULL_MATCH_BY_ID: 1-full-match-by-id instead of 1
    • FULL_MATCH_BY_HASH: 2-full-match-by-hash instead of 2
    • FULL_MATCH_BY_NAME_AND_VERSION: 3-full-match-by-name-and-version instead of 3
    • MATCH_BY_FILENAME: 4-good-match-by-filename instead of 4
    • MATCH_BY_NAME: 5-candidate-match-by-name instead of 5
    • SIMILAR_COMPONENT_FOUND: 6-candidate-match-similar-component instead of 6
    • NO_MATCH: 9-no-match instead of 100
  • dropped support for option -stage. The SW360 server instance can get specified via the -url parameter.
  • The hard coded address https://sw360.siemens.com has been removed.
    CaPyCLI reads the SW360 server address either from the environment variable SW360ServerUrl or
    via the -url parameter.
  • CaPyCLI supports an optional config file .capycli.cfg. Settings defined in the config file
    supersede settings in environment variables. Command line parameters supersede config file settings.
• The cache functionality of bom map also supports the staging system.
• project GetLicenseInfo can take over data from existing Readme_OSS config files.