feat: update to latest RC of cyclonedx-python-lib

Signed-off-by: Paul Horton <paul.horton@owasp.org>

cyclonedx_py/__init__.py

@@ -0,0 +1,16 @@
+# encoding: utf-8
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.

cyclonedx_py/client.py

@@ -89,7 +89,7 @@ def get_output(self) -> BaseOutput:
             from importlib.metadata import version as md_version
         else:
             from importlib_metadata import version as md_version  # type: ignore
-        bom.metadata.add_tool(tool=Tool(
+        bom.metadata.tools.add(Tool(
             vendor='CycloneDX', name='cyclonedx-bom', version=md_version('cyclonedx-bom')
         ))
 

cyclonedx_py/parser/__init__.py

@@ -13,6 +13,7 @@
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
 
 """
 Set of concrete classes and methods which allow for quick creation of a Bom instance from your environment or Python

cyclonedx_py/parser/conda.py

@@ -21,7 +21,7 @@
 from abc import ABCMeta, abstractmethod
 from typing import List
 
-from cyclonedx.model import ExternalReference, ExternalReferenceType
+from cyclonedx.model import ExternalReference, ExternalReferenceType, XsUri
 from cyclonedx.model.component import Component
 from cyclonedx.parser import BaseParser
 # See https://github.com/package-url/packageurl-python/issues/65
@@ -65,9 +65,9 @@ def _conda_packages_to_components(self) -> None:
                     type='pypi', name=conda_package['name'], version=str(conda_package['version'])
                 )
             )
-            c.add_external_reference(ExternalReference(
+            c.external_references.add(ExternalReference(
                 reference_type=ExternalReferenceType.DISTRIBUTION,
-                url=conda_package['base_url'],
+                url=XsUri(conda_package['base_url']),
                 comment=f"Distribution name {conda_package['dist_name']}"
             ))
 

cyclonedx_py/parser/environment.py

@@ -68,14 +68,12 @@ def __init__(self) -> None:
                 c.author = i_metadata['Author']
 
             if 'License' in i_metadata and i_metadata['License'] != 'UNKNOWN':
-                c.licenses.append(
-                    LicenseChoice(license_expression=i_metadata['License'])
-                )
+                c.licenses.add(LicenseChoice(license_expression=i_metadata['License']))
 
             if 'Classifier' in i_metadata:
                 for classifier in i_metadata['Classifier']:
                     if str(classifier).startswith('License :: OSI Approved :: '):
-                        c.licenses.append(
+                        c.licenses.add(
                             LicenseChoice(
                                 license_expression=str(classifier).replace('License :: OSI Approved :: ', '').strip()
                             )

cyclonedx_py/parser/pipenv.py

@@ -20,7 +20,7 @@
 import json
 from typing import Any, Dict
 
-from cyclonedx.model import ExternalReference, ExternalReferenceType, HashType
+from cyclonedx.model import ExternalReference, ExternalReferenceType, HashType, XsUri
 from cyclonedx.model.component import Component
 from cyclonedx.parser import BaseParser
 # See https://github.com/package-url/packageurl-python/issues/65
@@ -48,11 +48,11 @@ def __init__(self, pipenv_contents: str) -> None:
                 for pip_hash in package_data['hashes']:
                     ext_ref = ExternalReference(
                         reference_type=ExternalReferenceType.DISTRIBUTION,
-                        url=c.get_pypi_url(),
+                        url=XsUri(c.get_pypi_url()),
                         comment='Distribution available from pypi.org'
                     )
-                    ext_ref.add_hash(HashType.from_composite_str(pip_hash))
-                    c.add_external_reference(ext_ref)
+                    ext_ref.hashes.add(HashType.from_composite_str(pip_hash))
+                    c.external_references.add(ext_ref)
 
             self._components.append(c)
 

cyclonedx_py/parser/poetry.py

@@ -18,7 +18,7 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
 from cyclonedx.exception.model import UnknownHashTypeException
-from cyclonedx.model import ExternalReference, ExternalReferenceType, HashType
+from cyclonedx.model import ExternalReference, ExternalReferenceType, HashType, XsUri
 from cyclonedx.model.component import Component
 from cyclonedx.parser import BaseParser
 # See https://github.com/package-url/packageurl-python/issues/65
@@ -41,9 +41,9 @@ def __init__(self, poetry_lock_contents: str) -> None:
 
             for file_metadata in poetry_lock['metadata']['files'][package['name']]:
                 try:
-                    component.add_external_reference(ExternalReference(
+                    component.external_references.add(ExternalReference(
                         reference_type=ExternalReferenceType.DISTRIBUTION,
-                        url=component.get_pypi_url(),
+                        url=XsUri(component.get_pypi_url()),
                         comment=f'Distribution file: {file_metadata["file"]}',
                         hashes=[HashType.from_composite_str(file_metadata['hash'])]
                     ))

cyclonedx_py/utils/__init__.py

@@ -0,0 +1,20 @@
+# encoding: utf-8
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+"""
+Set of utility classes.
+"""

pyproject.toml

@@ -25,7 +25,7 @@ classifiers = [
 
 [tool.poetry.dependencies]
 python = "^3.6"
-cyclonedx-python-lib = "^1.3.0"
+cyclonedx-python-lib = "^2.0.0rc0"
 
 [tool.poetry.dev-dependencies]
 autopep8 = "^1.6.0"

tests/test_parser_conda.py

@@ -16,7 +16,6 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
-
 import os
 from unittest import TestCase
 
@@ -39,7 +38,7 @@ def test_conda_list_json(self) -> None:
         self.assertEqual('idna', c_noarch.name)
         self.assertEqual('2.10', c_noarch.version)
         self.assertEqual(1, len(c_noarch.external_references))
-        self.assertEqual(0, len(c_noarch.external_references[0].get_hashes()))
+        self.assertEqual(0, len(c_noarch.external_references.pop().hashes))
 
     def test_conda_list_explicit_md5(self) -> None:
         conda_list_ouptut_file = os.path.join(os.path.dirname(__file__), 'fixtures/conda-list-explicit-md5.txt')
@@ -55,4 +54,4 @@ def test_conda_list_explicit_md5(self) -> None:
         self.assertEqual('idna', c_noarch.name)
         self.assertEqual('2.10', c_noarch.version)
         self.assertEqual(1, len(c_noarch.external_references))
-        self.assertEqual(0, len(c_noarch.external_references[0].get_hashes()))
+        self.assertEqual(0, len(c_noarch.external_references.pop().hashes))

tests/test_parser_environment.py

@@ -16,7 +16,6 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
-
 from unittest import TestCase
 
 from cyclonedx.model.component import Component
@@ -39,4 +38,4 @@ def test_simple(self) -> None:
         # We can only be sure that tox is in the environment, for example as we use tox to run tests
         c_tox: Component = [x for x in parser.get_components() if x.name == 'tox'][0]
         self.assertIsNotNone(c_tox.licenses)
-        self.assertEqual('MIT', c_tox.licenses[0].expression)
+        self.assertEqual('MIT', c_tox.licenses.pop().expression)

tests/test_parser_pipenv.py

@@ -16,7 +16,6 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
-
 import os
 from unittest import TestCase
 
@@ -34,8 +33,9 @@ def test_simple(self) -> None:
 
         self.assertEqual('toml', components[0].name)
         self.assertEqual('0.10.2', components[0].version)
-        self.assertEqual(len(components[0].external_references), 2)
-        self.assertEqual(len(components[0].external_references[0].get_hashes()), 1)
+        c = components.pop()
+        self.assertEqual(len(c.external_references), 2)
+        self.assertEqual(len(c.external_references.pop().hashes), 1)
 
     def test_with_multiple_and_no_index(self) -> None:
         tests_pipfile_lock = os.path.join(os.path.dirname(__file__), 'fixtures/pipfile-lock-no-index-example.txt')
@@ -54,4 +54,4 @@ def test_with_multiple_and_no_index(self) -> None:
         self.assertEqual('toml', c_toml.name)
         self.assertEqual('0.10.2', c_toml.version)
         self.assertEqual(len(c_toml.external_references), 2)
-        self.assertEqual(len(c_toml.external_references[0].get_hashes()), 1)
+        self.assertEqual(len(c_toml.external_references.pop().hashes), 1)

tests/test_parser_poetry.py

@@ -16,7 +16,6 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
-
 import os
 from unittest import TestCase
 
@@ -30,7 +29,7 @@ def test_simple(self) -> None:
 
         parser = PoetryFileParser(poetry_lock_filename=tests_poetry_lock_file)
         self.assertEqual(1, parser.component_count())
-        components = parser.get_components()
-        self.assertEqual('toml', components[0].name)
-        self.assertEqual('0.10.2', components[0].version)
-        self.assertEqual(len(components[0].external_references), 2)
+        component = parser.get_components().pop()
+        self.assertEqual('toml', component.name)
+        self.assertEqual('0.10.2', component.version)
+        self.assertEqual(len(component.external_references), 2)

tests/test_parser_requirements.py

@@ -16,7 +16,6 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
-
 import os
 import unittest
 from unittest import TestCase