From d48641491674ce2d8650c1230e64bbc16bf4457f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jan 2022 16:32:16 +0000 Subject: [PATCH 1/4] build(deps): update cyclonedx-python-lib requirement Updates the requirements on [cyclonedx-python-lib](https://github.com/CycloneDX/cyclonedx-python-lib) to permit the latest version. - [Release notes](https://github.com/CycloneDX/cyclonedx-python-lib/releases) - [Changelog](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md) - [Commits](https://github.com/CycloneDX/cyclonedx-python-lib/compare/v0.11.1...v1.1.0) --- updated-dependencies: - dependency-name: cyclonedx-python-lib dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 1fc1b544..3f38e72c 100644 --- a/setup.py +++ b/setup.py @@ -36,7 +36,7 @@ "resolvelib>=0.8.0", "html5lib>=1.1", "CacheControl[filecache]>=0.12.10", - "cyclonedx-python-lib>=0.11.1,<1.0.0", + "cyclonedx-python-lib>=0.11.1,<2.0.0", ], extras_require={ "dev": [ From 4774deced8fd662efd12a5cc1f06fc5a599c688b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 13 Jan 2022 11:51:59 -0500 Subject: [PATCH 2/4] Bump cyclonedx-python-lib, API changes --- pip_audit/_format/cyclonedx.py | 9 ++++++--- setup.py | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/pip_audit/_format/cyclonedx.py b/pip_audit/_format/cyclonedx.py index a8c6c81f..1b91bdff 100644 --- a/pip_audit/_format/cyclonedx.py +++ b/pip_audit/_format/cyclonedx.py @@ -33,8 +33,7 @@ def __init__(self, result: Dict[service.Dependency, List[service.VulnerabilityRe Vulnerability( id=vuln.id, description=vuln.description, - advisories=[f"Upgrade: {v}" for v in vuln.fix_versions], - recommendations=["Upgrade"], + recommendation="Upgrade", ) ) @@ -75,6 +74,10 @@ def format(self, result: Dict[service.Dependency, List[service.VulnerabilityResu parser = _PipAuditResultParser(result) bom = Bom.from_parser(parser) - formatter = output.get_instance(bom=bom, output_format=self._inner_format.value) + formatter = output.get_instance( + bom=bom, + output_format=self._inner_format.value, + schema_version=output.SchemaVersion.V1_4, + ) return formatter.output_as_string() diff --git a/setup.py b/setup.py index 3f38e72c..91e1b1aa 100644 --- a/setup.py +++ b/setup.py @@ -36,7 +36,7 @@ "resolvelib>=0.8.0", "html5lib>=1.1", "CacheControl[filecache]>=0.12.10", - "cyclonedx-python-lib>=0.11.1,<2.0.0", + "cyclonedx-python-lib>=1.1.0,<2.0.0", ], extras_require={ "dev": [ From 5f345c37623d554821886ff7913e045af1d431bc Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 13 Jan 2022 11:59:41 -0500 Subject: [PATCH 3/4] CHANGELOG: record changes --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85941e1f..b8c76bb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,11 @@ All versions prior to 0.0.9 are untracked. ### Changed +* Output formats: The SBOM output formats (`--format=cyclonedx-xml` and + `--format=cyclonedx-json`) now use CycloneDX + [Schema 1.4](https://cyclonedx.org/docs/1.4/xml/) + ([#216](https://github.com/trailofbits/pip-audit/pull/216)) + ### Fixed ### Removed From a7bc3aa47a9ffbacbbf0e1c25543e60ea90eb7cb Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 13 Jan 2022 13:04:19 -0500 Subject: [PATCH 4/4] Update setup.py Co-authored-by: Dustin Ingram --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 91e1b1aa..5b0fa0cf 100644 --- a/setup.py +++ b/setup.py @@ -36,7 +36,7 @@ "resolvelib>=0.8.0", "html5lib>=1.1", "CacheControl[filecache]>=0.12.10", - "cyclonedx-python-lib>=1.1.0,<2.0.0", + "cyclonedx-python-lib>=1.0.0,<2.0.0", ], extras_require={ "dev": [