cdx2spdx icon indicating copy to clipboard operation
cdx2spdx copied to clipboard
verified publisher icon spdx

Support for CycloneDX 1.5 or 1.6

Open flemminglau opened this issue 1 year ago • 4 comments

I am a bit unsure as it is not very well defined in the sources but it seems we are linking w. cyclonedx.core.java 7.3.2 which is from Feb 2023.

I guess this means that we are at CycloneDX 1.4 level?

I have the issue right now that my SBOMs contain an components.externalReferences[].type="distribution-intake". Which I believe is new in 1.5.

That fails. In a quite in-elegant way.

flemminglau avatar Apr 12 '24 15:04 flemminglau

@flemminglau you are correct, this library has not been updated for later CDX libraries or versions after 1.4.

In addition updating the libraries, we'll also need to re-look at any mappings of the values.

Once we have the Java libraries for SPDX 3.0, I can update both CDX and SPDX to the latest - likely 2-3 weeks.

goneall avatar Apr 14 '24 17:04 goneall

I am also interested in converting from CycloneDX 1.5 to SPDX.

jlplenio avatar May 27 '24 08:05 jlplenio

Thanks @jlplenio for your interest - Just a quick update, I'm still working on the SPDX 3.0 libraries - taking longer than expected. Once that is done, I'll update this library with the latest SPDX and CDX versions.

goneall avatar May 27 '24 18:05 goneall

It seems the changes in CycloneDX 1.5 and 1.6 are more substantial than I first realized. So this is really becoming a showstopper as other tool chain improvements are only available in versions producing CDX 1.6 output (I am using sbomasm).

flemminglau avatar Aug 08 '24 08:08 flemminglau