bom mergeimproved: the dependencies are reconstructed, i.e. all dependencies that existed in the SBOMs before the merge should also exist after the merge.bom convertimproved: we can now convert from and to CycloneDX XML.- new command
bom validateto do a siple validation whether a given SBOM complies with the CycloneDX spec version 1.4, 1.5 or 1.6.
- make
findsourcesmore resilient against SW360 issues. project createbomnow stores multiple purls in the property "purl_list" instead of trying to encode them in a strange way in the "purl" field.- support CycloneDX 1.6 and Siemens Standard BOM 3.
bom createcomponents: attachment upload is now more robust to prevent .git files being uploaded.- granularity list extended.
- dependency updates.
getdependencies pythoncan now detect and ignore dev dependencies also for new versions of thepoetry.lockfile. This is done by using also the information of thepyproject.tomlfile.- add documentation for SBOM filtering.
- fix: urls coming from granularity file are repository urls and not source code download urls.
- fix wrong variable to correct
bom findsources. - fix loading of SBOMs that support different kinds of licenses.
- run unit tests also for Python 3.12 and 3.13.
- Fixed an error when creating an SBOM from a project on SW360 when this project contains a component with more than one package-url.
- Fixed an issues when getting invalid package-urls.
- New flag
-pmsor--project-mainline-stateto specify which project mainline state should be used for releases of a new project created byproject create. - Dependency updates.
- CaPyCLI is more resilient when accessing SW360.
- Dependency updates:
- idna 3.6 => 3.7 to fix a security vulnerability
- sw360 1.4.1 -> 1.5.0 to have an improved session handling for all api requests.
- Have an updated granularity list.
- New feature that adds a flag
force errortoproject prerequisitesto exit the application with an error code in case of a failed prerequisites check. - The flag
force erroris also available forproject getlicenseinfoand results in an error code if a CLI file is missing.
- Update dependencies, especially use sw360, version 1.4.1. to fix a problem in
project update.
getdependencies javascriptcan now handle package-lock.json files of version 3.bom findsourcescan do source URL discovery using sw360 lookup, perform extensive GitLab deep search, and adapt search strategy based on diverse programming languages.- Have type support.
- Be more resilient about missing metadata in CycloneDX SBOMs.
- The
-oparameter of the commandproject GetLicenseInfois now optional. But you still need this output when you want to create a Readme. project createbomadd purls, source and repository url from SW360 if available. If multiple purls are found, a warning is printed asking user to manually edit SBOM.project createbomadds SW360 source and binary attachments as external reference to SBOM.project createbomadds SW360 project name, version and description to SBOM.bom granularitycan now read custom granularity data from local files and remote URLs.- update dependencies, unfortunately vcrpy does not support urllib3 >= 2 and new vcrpy version result in unit test issues.
- Have an updated granularity list.
- Re-enable support for Python 3.8 and 3.9.
- A list of frequently asked questions has been added.
getdependencies pythonnow also accepts a Poetry lock file (must bepoetry.lock) as input. Development dependencies are automatically excluded.- Code of conduct added.
- Warnings about multiple purls entries when running
bom mapare now only shown if-vhas been specified. - breaking change
bom mapwill report matches by name, but different version only if-allhas been specified. The original idea of CaPyCLI was to report as many potential matches as possible and to let the user decide which match to take by editing the SBOM. But it seems that many users did not read the documentation and the expectations were different. Therefore the default behavior has been changed. The original behavior of versions prior to 2.x can be enabled via the-allswitch.
- breaking changes
- new command
bom convertto import and export SBOM in multiple formats. This new command replacesbom fromCSV,bom FromFlatFist,bom FromSbom,bom ToHtmlandbom ToSbom. bom sortis discontinued, CycloneDX SBOMs are always sorted by component name.- The option
-sourceofGetDependencies pythonis discontinued, please usebom downloadsourcesinstead. project showwrites the output file only in plain JSON and not CycloneDX.project CreateReadmerequires new entries in readme_oss_config.json to be independent of the name SiemensCompanyNameCompanyAddressN, N = 1..4
bom mapnow uses alphanumeric identifier for mapping instead of integer values:- INVALID:
0-invalidinstead of 0 - FULL_MATCH_BY_ID:
1-full-match-by-idinstead of 1 - FULL_MATCH_BY_HASH:
2-full-match-by-hashinstead of 2 - FULL_MATCH_BY_NAME_AND_VERSION:
3-full-match-by-name-and-versioninstead of 3 - MATCH_BY_FILENAME:
4-good-match-by-filenameinstead of 4 - MATCH_BY_NAME:
5-candidate-match-by-nameinstead of 5 - SIMILAR_COMPONENT_FOUND:
6-candidate-match-similar-componentinstead of 6 - NO_MATCH:
9-no-matchinstead of 100
- INVALID:
bom mapnow uses alphanumeric identifier for map modes (-m) instead of integer values:allinstead of 0foundinstead of 1notfoundinstead of 2
- dropped support for option
-stage. The SW360 server instance can get specified via the-urlparameter. - The hard coded address https://sw360.siemens.com has been removed.
CaPyCLI reads the SW360 server address either from the environment variable
SW360ServerUrlor via the-urlparameter. - CaPyCLI supports an optional config file
.capycli.cfg. Settings defined in the config file supersede settings in environment variables. Command line parameters supersede config file settings.
- new command
- The cache functionality of
bom mapalso supports the staging system. project GetLicenseInfocan take over data from existing Readme_OSS config files.
- Purl cache will only retrieve package URLs from SW360 with the types used in BOM to reduce the number of warnings for inconsistent SW360 entries.
- use CycloneDX BOM syntax from https://sbom.siemens.io/v2/format.html for
source urls ("comment": "source archive (download location)" in
externalReferences) - support CycloneDX externalReferences/hashes for SHA-1 hash
- All commands have now proper result/exit codes, see Exit Codes.
project GetLicenseInfocan now add all available CLI files to the readme configuration file if the-alloption is being used. A warning will be displayed if there are multiple CLI files for the same component.project CreateReadmewill put all contents of all CLI files in the Readme_OSS, but will also display a warning when there are multiple CLI files for the same component.- The use of "id" to identify a release has been deprecated, we now only use "Sw360id".
bom checkandbom checkitemstatusnow process also BOM item without Sw360id. In this case they will search SW360 by name and version ... which takes much more time.
- Drop support for Python 3.6 and 3.7 due to dependency updates and the new OSS version of cli, called cli-support.
- use sw360, version 1.2.1 with minimal logging support.
- Have direct help support for
project licenses,project createreadme,project createbom, andproject GetLicenseInfo.
bom mapis now more resilient about errors during the mapping of a single BOM item.bom maphas a new parametermode. If mode is not set, then there is the default mapping. Ifmode= 1, then the resulting BOM contains only components where a full match was found. Ifmode= 2, then the resulting BOM contains only components where no match was found.getdependencies pythonandproject prerequisitesnow support CycloneDX SBOM.bom filteraddcommand can now add properties to existing bom items.bom downloadsourceshandles quotes in filenames returned by content-disposition.bom downloadsourcescan now write an updated BOM including SHA1 hashes.- In CycloneDX SBOMs, the URL to source files will now be stored and read to/from
externalReferencesof typedistribution(with special comment "source URL") in addition to our customsource-file-urlproperty. - Fix command
project showwhich cause an exception if some of the mandatory data is missing --dbx(Debian relaxed version handling) inbom create...improved: First, it will check for exact matches now. When falling back to relaxed matching, Debian epoch strings are ignored, while Debian revisions are always considered. Output BOM will have SW360 versions.bom create*will set package-urls for existing and new components- Key error issue fixed in maven_pom.py.
- All commands show now the version number, i.e. something like
CaPyCli, 1.8.3.
- Fix in CycloneDX reading of JavaScript or Java component that have a
groupproperty. - New command
project eccto show the project export control details. - Fix: when
bom granularityreads a BOM in CycloneDX format, it now also writes the BOM in CycloneDX format.
- Fixed bug in
getdependencies javascriptwhen not all meta information for a package could get retrieved. bom downloadsourcesnow supports also option-cxto support the CycloneDX SBOM format.- CycloneDX JSON BOMs are expected in UTF-8 encoding.
bom maphas now a much faster way to create/update the cache. Due to the new SW360 REST API endpoint to get all releases with one call it now takes only 1.3 minutes.project vulnerabilitiesis working again. It seems that there was a breaking change in the REST API answer.
- Fix bug in
bom findsourceswhen using CycloneDX bom files. - Improved help support
- When no command has been specified, the global help will be shown.
- When no sub-command has been specified, the respective command help will be shown.
project vulnerabilitiesuses only the information from SW360 to display security vulnerabilities and can exit with exit code 1 when a not yet handled security vulnerability of a certain minimum priority has been found.
project shownow also displays the component clearing state.bom filterallows to include additional filter lists. This simplifies filtering for large number of BOM entries and many items to get filtered.bom create*will now ignore rejected attachments in SW360. So if an invalid attachment is rejected in SW360, it will upload the fixed sources.project updatewill not overwrite links to other projects any more- A couple of crashes have been fixed in
bom map,bom filterandproject create. - several fixes for purl cache handling.
- License changed to MIT!
bom maphandles now also multiple package-urls per release correctly.- new command
project updatewhich will add new releases instead of replacing existing links. project prerequisitesnow checks if all BOM entries are in SW360 project.- BOM mapping documented.
bom CheckItemStatusupdated:- the new default is that only the releases in the BOM are shown. Only when the flag
-allis specified, all versions of the component are checked. - new option
-cxto support the CycloneDX SBOM format. - Have improved help support.
- the new default is that only the releases in the BOM are shown. Only when the flag
- New command
bom findsourcesto find source code for existing BOMs. bom filtersupports removal of entries byRepositoryId. This is sometimes required when a (CycloneDX) BOM contains several items with the same name.getdependencies javascriptcreates a BOM item with the nameHomepage. This is not the intended name, it has to beProjectSite. The code for dependency detection and component creation has been updated. For compatibility both names are support, butHomepageis marked as deprecated.bom findsourcesis more fail save and allows to specify GitHub credentials.
- New parameter
-package-sourceto specify a custom package manager. The parameter is very helpful if your are in an environment where you cannot access the internet, for example when running CI/CD on code.siemens.com. Package metadata can get retrieved for example from BT-Artifactory: - Fix: NOT_README_OSS tags are now properly handled during Readme_OSS generation.
- The granularity check reset all release information which are not correct anymore after merging them by granularity check.
- When downloading files in
bom createcomponents, filenames are now updated according to HTTPcontent-disposition. bom diffcan now write lists of different and of identical BOM items.bom maphas some improvements in package-url handling.getdependencies javascripthas an improved method to determine source files.getdependencies MavenListhas improved parsing of Maven output.project createcan now use all data in projectinfo.json that conforms with the REST API specification. It is now for example also possible to add attachment during project creation.- New option
-cxto support the CycloneDX SBOM format for the commandsbom diff
- Unit tests for
bom diffadded. - Improved help support:
- When
-his specified for a main command, a help on all respective subcommands. Available forbom,moverview,mapping,project,getdependencies. - When
-his specified for a sub-command, then a specific help for this sub-command is shown. Available forshow bom,bom filter,bom diff,bom merge,bom check,bom granularity,bom fromsbom,bom map,bom createcomponents,bom downloadsources,mapping toxlsx,mapping tohtml,moverview toxlsx,moverview tohtml,getdependencies python,getdependencies javascript,getdependencies nuget,getdependencies mavenpom,getdependencies mavenlist.
- When
bom filternow supports trailing wildcards.- Improved CycloneDX handling (schema 1.3) for commands
bom fromsbomandbom tosbom. - New option
-cxto support the CycloneDX SBOM format for the commandsbom showbom filterbom mapbom checkbom createcomponentsproject createbom granularity
- Fix wrong project id assignment in
project show.
bom createsupports additional BOM fieldsSourceFileTypeandSourceFileCommentbom createnow supports updating of existing releases - source URL and external ID will be added if not set already. Source file will be uploaded if the existing release has no source attachments - otherwisecapycliwill warn if existing upload doesn't match BOM. Sobom createcan be interrupted and resumed at any time or just ran to verify existing releases.getdependencies javascriptnow creates package-urls and no longer npm-ids.getdependencies nugetnow creates package-urls and no longer nuget-ids.
bom createwith--dbxoption will reuse existing SW360 releases with "similar" Debian versions. It will ignore epoch prefix ("2:") and ".debian" suffix, so BOM entry "2:5.2.1-1.debian" will match SW360 release "5.2.1-1".bom createonly downloads missing sources if--downloadis specifiedbom createnow respects filename given in "SourceFile" also when "SourceFileUrl" is givengetdependencies pythonnow uses the common-sourceoption to specify the folder for downloading sources instead of the special--download_sourcesoptiongetdependencies mavenlistallows now to specify a Maven dependency file using the-ioption. This file is then converted to a BOM.
project createbomto create a CycloneDX SBOM file for an existing SW360 project.
- improve error output for
project createandbom CreateComponents. - fix: adapt moderators handling for
project create. - fix temp folder handling and attachment upload for
bom CreateComponents.
bom fromsbomsupports also JSON CycloneDX SBOMs.bom fromsbomextracts alsoProjectSiteandRepositoryUrlfrom SBOMs.- missing dependency chardet added.
- improved JavaScript metadata search and evaluation.
- new command
bom granularityto check a bill of material for potential component granularity issues. getdependencies nugetnow also handles Visual Studio solution files.getdependencies javascriptis more flexible about missing information.- new feature
bom diffto compare two bills of material. - new feature
bom mergeto merge two bills of material. - the exit code is only displayed when the
-exoption has been specified.
project prerequisites: If a BOM with "SourceFileHash" entries is provided as input, verify SHA1s of sources. It also checks that there's exactly one source file per release.- new command
bom createReleasesto limit automation to creation of new releases in components identified via package-urls (see example.md) bom map: full support for searching components and releases by package-url (purl) in--nocacheas well as in default modebom map: leave original item im BOM if no good release match was found, and include "ComponentId" if we know if for sure (e.g. match by purl)
- due to a breaking change in the SW360 REST API:
downloadurlhas been replaced bysourceCodeDownloadurl
- check_prerequisites.py: better handling of missing keys
- fixed bug that crashed capycli if
-old-versionparam was missing
- new switch
-old-versionto update an existing project to a new version instead of creating a new project (thanks to Bogdan Victor Serbanescu).
- Added extra validation (name equality) when choosing a matching component (thanks to Bogdan Victor Serbanescu).
- Fix: project show status: check that a release has "_embedded" data.
- version 0.9.4 released.
- new command
bom downloadsourcesto download source files from the URL specified in the BOM. - all errors result in exit code = 1.
- new option
-sourcefor commandbom createcomponentsto specify a folder where to find/store source code files. bom createcomponents: source code files will only get downloaded if they do not yet exist locally.- fix: correct handling of components without releases.
- automatic upload of source files/urls as attachments
- determine source code URL for JavaScript component from package-lock.json
- version 0.9.2 released
- creation of components fixed
- version 0.9.1 released
- new structure: there is only one script: CaPyCli
- version 0.9.0 released, binaries are available on BT-Artifactory
- Improved error handling in sw360_api.py:
- Base class for scripts added
- Introduced pipenv (Pipfile, Pipfile.lock)
- Replaced ansi by colorama for better compatibility