CycloneDX
[Feature] Support CycloneDX 1.6
Problem
It seems like there's currently no support for outputting the json with the CycloneDX 1.6 format. Is support for this planned? I would be willing to add support if given the go ahead. Currently, serde-cyclonedx supports v1.6, but it'd be nice if this crate supported it too 🙂
I'm happy to merge a pull request adding v1.6 support.
AFAIK I'm the only active maintainer and I'm already spread very thin, so v1.6 support will only happen if either someone opens a PR for it, or provides funding so that one of the maintainers could implement it.
I'm looking at all PRs and issues as well but you usually get to it before me. :)
1.6 support would be fabulous. It's on my to-do list so I'll try to get to it eventually but if you'd be up for a PR that'd be great. We can definitely also help and @justahero can probably also give some hints on how to implement this best seeing as he was the one adding 1.5 support.
Yeah I can work on it this weekend for sure :)
Does discussion about development for this project typically happen on slack? It'd be great to have a place I can ask questions in 😁
CycloneDX1.6.1 is out with some fixes. see https://github.com/CycloneDX/specification/releases/tag/1.6.1 there is also new/updated test data in https://github.com/CycloneDX/specification/tree/master/tools/src/test/resources/1.6
You're welcome to jump on slack for any discussion needs, yeah. But we can also keep it here. Whatever you prefer!
No progress at the moment I'm afraid. But I hope to have something to report soon, no promises though. In the meantime: If anyone wants to pick this up you're welcome to!
Isn't it covered natively now? https://github.com/rust-lang/cargo/pull/13709 ?
No. That Cargo PR only writes a "sbom precursor" that contains an accurate dependency tree. It is up to external tools like cargo-cyclonedx to collate it with cargo metadata output and convert the result to CycloneDX/SPDX/etc.