wkoot

What's the status on a new version release? Is it an option to release 2.4.0 before 3.0, or perhaps even a 2.3.6 bugfix? It would be nice to avoid this...

Implementing this as refined does not seem to be compatible with the current concept of measurements. We run into the problem that the metric measurement "violation density" is not actually...

Why not `response.get('content-location', response['Content-Location'])` ? Anyway - the Instagram v1 API this library uses, has been deprecated and will be discontinued. A lot of instagram endpoints are already no longer...

The point is that it should not fail silently; either `'Content-Location'` or `'content-location'` should be tried. If neither of these headers are there, raising an exception is correct. Might be...

I think the problem lies in the deduplication of SortedSet; elements are not added to the set when their value matches. The equality operator in the Component class compares the...

Fair point but when there are multiple BOM files sourced in the python script, this is no longer applicable. When merging sets of `Vulnerability` objects from separate BOM files, they...

> `bom-ref` is intentional not part of the `__eq__` or `__hash__` method - it has no meaning, it is a mere reference-indicator. `c1` and `c2` are the same component ->...

> `bom-ref` is intentional not part of the `__eq__` or `__hash__` method - it has no meaning, it is a mere reference-indicator. `c1` and `c2` are the same component ->...

It seems that deserialization silently loads broken bom data, in the [case of duplicate components as earlier referred to](https://github.com/aquasecurity/trivy/discussions/7532). EDIT: Created separate issue - https://github.com/CycloneDX/cyclonedx-python-lib/issues/677