cyclonedx merge command does not support v1.6 format

[ferben]

When you try merge two files in 1.6 version, you get:

Unhandled exception: System.ArgumentException: Unsupported specification version: 1.6
   at CycloneDX.Models.Bom.set_SpecVersionString(String value)
...

cyclonedx-merge-stacktrace.txt

[candrews]

Do you have any estimate as to when cyclonedx 1.6 support will be available?

Thank you!

[candrews]

Trivy 0.5.3 (see aquasecurity/trivy#6902) produces CycloneDX 1.6, meaning that this tool doesn't work with the latest version of Trivy.

[Radial01]

I'd also like to find out if there's any ETA as to when we could expect CycloneDX 1.6 to be supported? Thanks!

[mtsfoni]

Depends.
If nobody beats me to it might be end of August/start of September.
I started once and stumbled over some tech debt, some of that has been fixed by other contributes by now.

As the CLI just consumes the library, here is the right issue regarding 1.6: CycloneDX/cyclonedx-dotnet-library#284

[mtsfoni]

Just released version 0.27.0 that should now support CycloneDX 1.6

[wkoot]

Confirmed that cyclonedx-cli merge can now process files adhering to "specVersion": "1.6" without throwing an error.
I tested this on a bunch of containers with aquasec/trivy:0.55.1 and cyclonedx/cyclonedx-cli:0.27.0.

[wkoot]

Although listed as supported, the files produced do not adhere to spec - see #409 and #399
In both cases there is no error logged by cyclonedx-cli, but the output file is not valid