cyclonedx-python-lib icon indicating copy to clipboard operation
cyclonedx-python-lib copied to clipboard
verified publisher icon CycloneDX

do not add self to `metadata.tools`

Open jkowalleck opened this issue 1 year ago • 2 comments

If the Bom.metadata.tools are found empty, this library adds an entry to it, to represent itself.

This might look like a cute idea at first, but it alters the original data on deserialization: when deserialization of a CycloneDX BOM that did not hold any data about tools, the library will add itself to the tools. This is unexpected behavior.

A suitable solution would be to add this library not to the SBOM at all. Instead, the library should provide functionality in the form of a builder, to generate itself's representation as a tool/component, so that downstream users may use it.

jkowalleck avatar Sep 16 '24 16:09 jkowalleck

this is considered a breaking change, as existing behaviour is modified

jkowalleck avatar Sep 16 '24 16:09 jkowalleck

implementation finished

jkowalleck avatar Sep 16 '24 18:09 jkowalleck

was released via https://github.com/CycloneDX/cyclonedx-python-lib/releases/tag/v8.0.0

jkowalleck avatar Oct 14 '24 12:10 jkowalleck