3.10.0

Changed

• Raised dependency cyclonedx/cyclonedx-library:^1.4.2, was cyclonedx/cyclonedx-library:^1.3.1. (via #192)

Misc

• Adjusted internal typing and typehints. (via #192)
• Improved compatibility to Composer v2.3 (via #212)

3.9.2

Fixed

• ExternalReferences fetched from composer's support.email are correctly prefixed with "mailto:". (via #161)
  Value was unmodified in the past.

3.9.1

Fixed

• XML validation error for ExternalReference. (#158 via #159)

Changed

• The ValidationError message requests reporting with the "ValidationError" issue template. (via #160)
  No template was used in the past.

3.9.0

Added

• The resulting SBoM hold ExternalReferences as fetched from package descriptions. (via #145)

3.8.0

Fixed

• Compatibility with composer v2.0.0 to v2.0.4 was improved. (via #152)
• Possible crashes when composer was not able to detect component's version properly.

3.7.0

Added

• CLI got a new switch --no-version-normalization. (via #138)
  That allows to omit component version-string normalization.
  Per default this plugin will normalize version strings by stripping leading "v".
  This is a compatibility-switch. The next major-version of this plugin will not modify component versions. (see #102)

3.6.0

Added

• CLI got a new option --mc-version. (via #133)
  That allows to set the main component's version in the resulting SBoM,
  so that the auto-detection can be overridden.

Fixed

• The resulting SBoM's main component's purl does not get a version assigned,
  if the version auto-detection fails. (via #134)

3.5.0

Changed

The "Core" library was moved to an own package: https://packagist.org/packages/cyclonedx/cyclonedx-library
The new external package/library is a one-to-one copy of the original code from this project, which now is a dependency/required of this project. So usage/leverage of the original code is still possible without any changes for third parties.
See #87 for details.

3.4.1

Fixed

Improved compatibility to composer.

3.4.0

Changed

• Core library
  • Some repository data-types are lists of unique items, so no duplicates are kept.
    Affected classes/data-types :
    • ComponentRepository
    • DisjunctiveLicenseRepository
    • ToolRepository

Added

• CLI via composer make-bom
  • Will try to populate dependencies of the SBoM result.
• Core library
  • Added BomRef model to link bom elements in general.
    Added BomRefRepository data type as a collection of unique BomRef.
  • Added bomRef to Component model to link components as dependencies.
    Added dependencies to Component model.
  • Added ability to serialize dependencies to XML.
  • Added ability to serialize dependencies to JSON.

Misc

• Moved development docs to docs/dev/.
• Refactored the plugin's internals.