CycloneDX · jkowalleck · Oct 24, 2023 · Sep 19, 2023 · Sep 19, 2023 · Sep 19, 2023
@@ -31,7 +31,7 @@ trim_trailing_whitespace = false
 indent_style = space
 indent_size = 4
 
-[*.ini]
+[{*.ini,.bandit,.flake8}]
 charset = latin1
 indent_style = space
 indent_size = 4
@@ -0,0 +1,20 @@
+[flake8]
+## https://flake8.pycqa.org/en/latest/user/configuration.html
+## keep in sync with isort config - in `isort.cfg` file
+
+exclude =
+    build,dist,__pycache__,.eggs,*.egg-info*,
+    *_cache,*.cache,
+    .git,.tox,.venv,venv,.venv*,venv*,
+    _OLD,_TEST,
+    docs
+
+max-line-length = 120
+
+max-complexity = 10
+
+ignore =
+    # ignore `self`, `cls` markers of flake8-annotations>=2.0
+    ANN101,ANN102
+    # ignore ANN401 for dynamically typed *args and **kwargs
+    ANN401
@@ -46,24 +46,48 @@ jobs:
       - name: Install dependencies
         run: poetry install --no-root
       - name: Run tox
-        run: poetry run tox -e flake8 -s false
+        run: poetry run tox run -e flake8 -s false
+
+  security-issues:
+    name: find Security Issues
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Python Environment
+        # see https://github.com/actions/setup-python
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
+          architecture: 'x64'
+      - name: Install poetry
+        # see https://github.com/marketplace/actions/setup-poetry
+        uses: Gr1N/setup-poetry@v8
+        with:
+          poetry-version: ${{ env.POETRY_VERSION }}
+      - name: Install dependencies
+        run: poetry install --no-root
+      - name: Run tox
+        run: poetry run tox run -e bandit -s false
 
   static-code-analysis:
-    name: StaticCodingAnalysis (py${{ matrix.python-version}} ${{ matrix.toxenv-factor }})
+    name: StaticCodingAnalysis (py${{ matrix.python-version}} ${{ matrix.toxenv-factors }})
     runs-on: ${{ matrix.os }}
     timeout-minutes: 10
     strategy:
       fail-fast: false
       matrix:
         include:
-          - # test with the locked dependencies
+          - # test with the latest dependencies
             os: ubuntu-latest
-            python-version: '3.11'
-            toxenv-factor: 'locked'
+            python-version: '3.12'
+            toxenv-factors: '-current'
           - # test with the lowest dependencies
             os: ubuntu-latest
-            python-version: '3.7'
-            toxenv-factor: 'lowest'
+            python-version: '3.8'
+            toxenv-factors: '-lowest'
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
@@ -82,28 +106,25 @@ jobs:
       - name: Install dependencies
         run: poetry install --no-root
       - name: Run tox
-        run: poetry run tox -e mypy-${{ matrix.toxenv-factor }} -s false
+        run: poetry run tox run -e mypy${{ matrix.toxenv-factors }} -s false
 
   build-and-test:
-    name: Test (${{ matrix.os }} py${{ matrix.python-version }} ${{ matrix.toxenv-factor }})
+    name: Test (${{ matrix.os }} py${{ matrix.python-version }} ${{ matrix.toxenv-factors }})
     runs-on: ${{ matrix.os }}
     timeout-minutes: 15
     strategy:
       fail-fast: false
       matrix:
         os: ['ubuntu-latest', 'windows-latest', 'macos-latest']
         python-version:
-          - "3.11" # highest supported
+          - "3.12" # highest supported
+          - "3.11"
           - "3.10"
           - "3.9"
-          - "3.8"
-          - "3.7"  # lowest supported
-        toxenv-factor: ['locked']
-        include:
-          - # test with the lowest dependencies
-            os: ubuntu-latest
-            python-version: '3.7'
-            toxenv-factor: 'lowest'
+          - "3.8"  # lowest supported
+        toxenv-factors:
+          - '-allExtras'
+          - '-noExtras'
     steps:
       - name: Disabled Git auto EOL CRLF transforms
         run: |
@@ -135,14 +156,14 @@ jobs:
       - name: Ensure build successful
         run: poetry build
       - name: Run tox
-        run: poetry run tox -e py-${{ matrix.toxenv-factor }} -s false
+        run: poetry run tox run -e py${{ matrix.toxenv-factors }} -s false
       - name: Generate coverage reports
+        if: ${{ failure() || success() }}
         shell: bash
         run: |
           set -eux
-          poetry run coverage report
-          poetry run coverage xml -o "$REPORTS_DIR/coverage.${{ matrix.os }}_py${{ matrix.python-version }}_${{ matrix.toxenv-factor }}.cobertura.xml"
-          # poetry run coverage lcov -o "$REPORTS_DIR/coverage.${{ matrix.os }}_py${{ matrix.python-version }}_${{ matrix.toxenv-factor }}.lcov.xml"
+          poetry run coverage report -m
+          poetry run coverage xml -o '${{ env.REPORTS_DIR }}/coverage/${{ matrix.os }}_py${{ matrix.python-version }}_${{ matrix.toxenv-factors }}.cobertura.xml'
       - name: Artifact reports
         if: ${{ ! cancelled() }}
         # see https://github.com/actions/upload-artifact
@@ -172,12 +193,19 @@ jobs:
         uses: codacy/codacy-coverage-reporter-action@v1
         with:
           project-token: ${{ env.CODACY_PROJECT_TOKEN }}
-          coverage-reports: ${{ env.REPORTS_DIR }}/coverage.*
+          coverage-reports: ${{ env.REPORTS_DIR }}/coverage/*
 
   examples:
-    name: Examples
+    name: Examples E:${{ matrix.install-extras || '<none>' }}
     runs-on: ubuntu-latest
-    timeout-minutes: 15
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        install-extras:
+          - '' # none
+          - json-validation
+          - xml-validation
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
@@ -186,7 +214,7 @@ jobs:
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v4
         with:
-          python-version: '>=3.7 <=3.11'  # supported version range
+          python-version: '>=3.8 <=3.12'  # supported version range
       - name: Validate Python Environment
         shell: python
         run: |
@@ -198,7 +226,7 @@ jobs:
         with:
           poetry-version: ${{ env.POETRY_VERSION }}
       - name: Install package and prod dependencies
-        run: poetry install --only=main -vvv
+        run: poetry install --only=main --extras='${{ matrix.install-extras }}' -vvv
       - name: run all examples
         run: >
           find examples -type f -name '*.py' -print0

@@ -42,7 +42,31 @@ env:
   POETRY_VERSION: "1.4.1"
 
 jobs:
+  quicktest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Python Environment
+        # see https://github.com/actions/setup-python
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
+          architecture: 'x64'
+      - name: Install poetry
+        # see https://github.com/marketplace/actions/setup-poetry
+        uses: Gr1N/setup-poetry@v8
+        with:
+          poetry-version: ${{ env.POETRY_VERSION }}
+      - name: Install dependencies
+        run: poetry install --no-root
+      - name: Run tox
+        run: poetry run tox run -e py -s false
+
   release:
+    needs:
+      - quicktest
     # https://github.community/t/how-do-i-specify-job-dependency-running-in-another-workflow/16482
     # limit this to being run on regular commits, not the commits that semantic-release will create
     # but also allow manual workflow dispatch

@@ -1,6 +1,6 @@
 [settings]
 ## read the docs: https://pycqa.github.io/isort/docs/configuration/options.html
-## keep in sync with flake8 config - in `tox.ini` file
+## keep in sync with flake8 config - in `.flake8` file
 known_first_party = cyclonedx
 skip_gitignore = false
 skip_glob =
@@ -20,3 +20,5 @@ src_paths =
     cyclonedx
     tests
     typings
+    examples
+    tools
@@ -1,6 +1,6 @@
 [mypy]
 
-files = cyclonedx/
+files = cyclonedx/, examples/
 mypy_path = $MYPY_CONFIG_FILE_DIR/typings
 
 show_error_codes = True
@@ -26,9 +26,7 @@ no_implicit_optional        = True
 warn_redundant_casts        = True
 warn_return_any             = True
 no_implicit_reexport        = True
-
-# needed to silence some py37|py38 differences
-warn_unused_ignores         = False
+warn_unused_ignores         = True
 
 [mypy-pytest.*]
 ignore_missing_imports = True

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -42,4 +40,4 @@ python:
    install:
      - method: pip
        path: .
-     - requirements: docs/requirements.txt
+     - requirements: docs/requirements.txt
@@ -12,7 +12,7 @@ This project uses [poetry]. Have it installed and setup first.
 To install dev-dependencies and tools:
 
 ```shell
-poetry install
+poetry install --all-extras
 ```
 
 ## Code style
@@ -23,9 +23,13 @@ Get it all applied via:
 
 ```shell
 poetry run isort .
-poetry run flake8 cyclonedx/ tests/ typings/
+poetry run autopep8 -ir cyclonedx/ tests/ typings/ examples/
 ```
 
+This project prefers `f'strings'` over `'string'.format()`.  
+This project prefers `'single quotes'` over `"double quotes"`.  
+This project prefers `lower_snake_case` variable names.  
+
 ## Documentation
 
 This project uses [Sphinx] to generate documentation which is automatically published to [readthedocs.io].
@@ -45,7 +49,7 @@ make html
 Run all tests in dedicated environments, via:
 
 ```shell
-poetry run tox
+poetry run tox run
 ```
 
 ## Sign off your commits

@@ -1,4 +1,4 @@
-# Python Library for generating CycloneDX
+# CycloneDX Python Library
 
 [![shield_pypi-version]][link_pypi]
 [![shield_conda-forge-version]][link_conda-forge]

@@ -0,0 +1,9 @@
+# https://bandit.readthedocs.io
+# filename must be like this, so codacy can pick it up: https://github.com/codacy/codacy-bandit/blob/master/src/main/scala/codacy/bandit/Bandit.scala#L35C49-L35C59
+
+exclude_dirs:
+  - docs
+  - .venv
+
+skips:
+  - B101
@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -13,11 +11,14 @@
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
 
 """
 Python library for generating and representing CycloneDX software bill-of-materials.
 """
 
 # !! version is managed by semantic_release
 # do not use typing here, or else `semantic_release` might have issues finding the variable
-__version__ = "4.2.3"
+# flake8: noqa
+__version__ = "5.0.0-rc.2"
@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -13,15 +11,21 @@
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
-#
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
 
 """
 Exceptions that are specific to the CycloneDX library implementation.
 """
 
 
-class CycloneDxException(Exception):
+class CycloneDxException(Exception):  # noqa: N818
     """
     Root exception thrown by this library.
     """
     pass
+
+
+class MissingOptionalDependencyException(CycloneDxException):  # noqa: N818
+    """Validation did not happen, due to missing dependencies."""
+    pass
@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -13,7 +11,8 @@
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
-#
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
 
 """
 Exceptions relating to specific conditions that occur when factoring a model.