-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build(deps): update cyclonedx-python-lib requirement from <1.0.0,>=0.11.1 to >=0.11.1,<2.0.0 #216
build(deps): update cyclonedx-python-lib requirement from <1.0.0,>=0.11.1 to >=0.11.1,<2.0.0 #216
Conversation
Updates the requirements on [cyclonedx-python-lib](https://github.com/CycloneDX/cyclonedx-python-lib) to permit the latest version. - [Release notes](https://github.com/CycloneDX/cyclonedx-python-lib/releases) - [Changelog](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md) - [Commits](CycloneDX/cyclonedx-python-lib@v0.11.1...v1.1.0) --- updated-dependencies: - dependency-name: cyclonedx-python-lib dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
formatter = output.get_instance( | ||
bom=bom, | ||
output_format=self._inner_format.value, | ||
schema_version=output.SchemaVersion.V1_4, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
N.B.: This explicitly pins us to CycloneDX's 1.4 schema now that it's supported, which fixes #151.
Example JSON SBOM with these changes:
|
cc @di: Should we consider this a breaking change? It changes the inner structure of the |
Co-authored-by: Dustin Ingram <[email protected]>
|
### Added * CLI: The `--fix` flag has been added, allowing users to attempt to automatically upgrade any vulnerable dependencies to the first safe version available ([#212](pypa/pip-audit#212), [#222](pypa/pip-audit#222)) * CLI: The combination of `--fix` and `--dry-run` is now supported, causing `pip-audit` to perform the auditing step but not any resulting fix steps ([#223](pypa/pip-audit#223)) * CLI: The `--require-hashes` flag has been added which can be used in conjunction with `-r` to check that all requirements in the file have an associated hash ([#229](pypa/pip-audit#229)) * CLI: The `--index-url` flag has been added, allowing users to use custom package indices when running with the `-r` flag ([#238](pypa/pip-audit#238)) * CLI: The `--extra-index-url` flag has been added, allowing users to use multiple package indices when running with the `-r` flag ([#238](pypa/pip-audit#238)) ### Changed * `pip-audit`'s minimum Python version is now 3.7. * CLI: The default output format is now correctly pluralized ([#221](pypa/pip-audit#221)) * Output formats: The SBOM output formats (`--format=cyclonedx-xml` and `--format=cyclonedx-json`) now use CycloneDX [Schema 1.4](https://cyclonedx.org/docs/1.4/xml/) ([#216](pypa/pip-audit#216)) * Vulnerability sources: When using PyPI as a vulnerability service, any hashes provided in a requirements file are checked against those reported by PyPI ([#229](pypa/pip-audit#229)) * Vulnerability sources: `pip-audit` now uniques each result based on its alias set, reducing the amount of duplicate information in the default columnar output format ([#232](pypa/pip-audit#232)) * CLI: `pip-audit` now prints its output more frequently, including when there are no discovered vulnerabilities but packages were skipped. Similarly, "manifest" output formats (JSON, CycloneDX) are now emitted unconditionally ([#240](pypa/pip-audit#240)) ### Fixed * CLI: A regression causing excess output during `pip audit -r` was fixed ([#226](pypa/pip-audit#226))
Updates the requirements on cyclonedx-python-lib to permit the latest version.
Fixes #151.
Release notes
Sourced from cyclonedx-python-lib's releases.
Changelog
Sourced from cyclonedx-python-lib's changelog.
... (truncated)
Commits
d4007bd
1.1.01ac31f4
feat: add support forbom.metadata.component
(#118)3509fb6
Manually generated release7fb6da9
Support for CycloneDX schema version 1.4 (#108)3058afc
chore: attempt to produce manual GitHub action to release a RC versiond26970b
Merge branch 'main' of github.com:CycloneDX/cyclonedx-python-lib6799e63
chore: attempt to produce manual GitHub action to release a RC version42f7952
chore: disable poetry-cache in gh-workflow (#112)4448d9b
Update CONTRIBUTING.md89d8382
chore: removed pdoc3 from main dev dependencies as now covered in docs/requir...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)