Merge branch 'main' into feat/refactor-validation-to-model-validator

Author: saquibsaifee

CHANGELOG.md

@@ -2,6 +2,32 @@
 
 <!-- version list -->
 
+## v11.7.0 (2026-03-17)
+
+### Documentation
+
+- Add comprehensive SBOM validation guide
+  ([#933](https://github.com/CycloneDX/cyclonedx-python-lib/pull/933),
+  [`bf596c0`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/bf596c0ed1495bf42add39185f460605b0ecd12a))
+
+- Docstrings for schema version classes
+  ([#946](https://github.com/CycloneDX/cyclonedx-python-lib/pull/946),
+  [`6460b71`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/6460b71b5189a10819e539f1315a7c05b9b7e40e))
+
+- Modernize RTF setup ([#921](https://github.com/CycloneDX/cyclonedx-python-lib/pull/921),
+  [`af0059d`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/af0059d8fb6c9f8cc437f6c210487d131a6f658f))
+
+### Features
+
+- Add properties for licenses according to CycloneDX 1.5
+  ([#947](https://github.com/CycloneDX/cyclonedx-python-lib/pull/947),
+  [`375d209`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/375d209c738473ea2815fc4cb36806563be41e2e))
+
+- Make schema deprecation warnings handle-able
+  ([#945](https://github.com/CycloneDX/cyclonedx-python-lib/pull/945),
+  [`71edacf`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/71edacfaf5c46088d0ca08196b7c858ff39a23b5))
+
+
 ## v11.6.0 (2025-12-02)
 
 ### Documentation

CONTRIBUTING.md

@@ -21,7 +21,7 @@ poetry install --all-extras
 
 ## Code style
 
-THis project loves latest python features.  
+This project loves latest python features.  
 This project loves sorted imports.  
 This project uses [PEP8] Style Guide for Python Code.  
 
@@ -67,7 +67,7 @@ Please sign off your commits, to show that you agree to publish your changes und
 , and to indicate agreement with [Developer Certificate of Origin (DCO)](https://developercertificate.org/).
 
 ```shell
-git commit --signed-off ...
+git commit --signoff ...
 ```
 
 ## Pre-commit hooks

README.md

@@ -14,8 +14,8 @@
 
 ----
 
-OWASP [CycloneDX][link_website] is a full-stack Bill of Materials (BOM) standard
-that provides advanced supply chain capabilities for cyber risk reduction.
+OWASP  [CycloneDX][link_website] is a full‑stack Bill of Materials (BOM) and system‑transparency standard
+that provides deep visibility into software, services, hardware, and AI components, enabling advanced supply‑chain security and cyber‑risk reduction.
 
 This Python package provides data models, validators and more,
 to help you create/render/read CycloneDX documents.

cyclonedx/__init__.py

@@ -22,4 +22,4 @@
 
 # !! version is managed by semantic_release
 # do not use typing here, or else `semantic_release` might have issues finding the variable
-__version__ = "11.6.0"  # noqa:Q000
+__version__ = "11.7.0"  # noqa:Q000

cyclonedx/model/bom.py

@@ -30,6 +30,7 @@
 from .._internal.compare import ComparableTuple as _ComparableTuple
 from .._internal.time import get_now_utc as _get_now_utc
 from ..exception.model import LicenseExpressionAlongWithOthersException, UnknownComponentDependencyException
+from ..schema.deprecation import SchemaDeprecationWarning1Dot6
 from ..schema.schema import (
     SchemaVersion1Dot0,
     SchemaVersion1Dot1,
@@ -291,10 +292,7 @@ def manufacture(self, manufacture: Optional[OrganizationalEntity]) -> None:
               we should set this data on `.component.manufacturer`.
         """
         if manufacture is not None:
-            warn(
-                '`bom.metadata.manufacture` is deprecated from CycloneDX v1.6 onwards. '
-                'Please use `bom.metadata.component.manufacturer` instead.',
-                DeprecationWarning)
+            SchemaDeprecationWarning1Dot6._warn('bom.metadata.manufacture', 'bom.metadata.component.manufacturer')
         self._manufacture = manufacture
 
     @property

cyclonedx/model/component.py

@@ -40,6 +40,7 @@
     SerializationOfUnexpectedValueException,
     SerializationOfUnsupportedComponentTypeException,
 )
+from ..schema.deprecation import SchemaDeprecationWarning1Dot3, SchemaDeprecationWarning1Dot6
 from ..schema.schema import (
     SchemaVersion1Dot0,
     SchemaVersion1Dot1,
@@ -1185,8 +1186,7 @@ def author(self) -> Optional[str]:
     @author.setter
     def author(self, author: Optional[str]) -> None:
         if author is not None:
-            warn('`@.author` is deprecated from CycloneDX v1.6 onwards. '
-                 'Please use `@.authors` or `@.manufacturer` instead.', DeprecationWarning)
+            SchemaDeprecationWarning1Dot6._warn('@.author', '@.authors` or `@.manufacturer')
         self._author = author
 
     @property
@@ -1467,8 +1467,7 @@ def modified(self) -> bool:
     @modified.setter
     def modified(self, modified: bool) -> None:
         if modified:
-            warn('`@.modified` is deprecated from CycloneDX v1.3 onwards. '
-                 'Please use `@.pedigree` instead.', DeprecationWarning)
+            SchemaDeprecationWarning1Dot3._warn('@.modified', '@.pedigree')
         self._modified = modified
 
     @property

cyclonedx/model/license.py

@@ -20,6 +20,7 @@
 License related things
 """
 
+from collections.abc import Iterable
 from enum import Enum
 from json import loads as json_loads
 from typing import TYPE_CHECKING, Any, Optional, Union
@@ -34,7 +35,7 @@
 from ..exception.model import MutuallyExclusivePropertiesException
 from ..exception.serialization import CycloneDxDeserializationException
 from ..schema.schema import SchemaVersion1Dot5, SchemaVersion1Dot6, SchemaVersion1Dot7
-from . import AttachedText, XsUri
+from . import AttachedText, Property, XsUri
 from .bom_ref import BomRef
 
 
@@ -85,6 +86,7 @@ def __init__(
         id: Optional[str] = None, name: Optional[str] = None,
         text: Optional[AttachedText] = None, url: Optional[XsUri] = None,
         acknowledgement: Optional[LicenseAcknowledgement] = None,
+        properties: Optional[Iterable[Property]] = None,
     ) -> None:
         if not id and not name:
             raise MutuallyExclusivePropertiesException('Either `id` or `name` MUST be supplied')
@@ -99,6 +101,7 @@ def __init__(
         self._text = text
         self._url = url
         self._acknowledgement = acknowledgement
+        self._properties = SortedSet(properties or [])
 
     @property
     @serializable.view(SchemaVersion1Dot5)
@@ -200,17 +203,25 @@ def url(self, url: Optional[XsUri]) -> None:
     # def licensing(self, ...) -> None:
     #     ...  # TODO since CDX1.5
 
-    # @property
-    # ...
-    # @serializable.view(SchemaVersion1Dot5)
-    # @serializable.view(SchemaVersion1Dot6)
-    # @serializable.xml_sequence(6)
-    # def properties(self) -> ...:
-    #     ...  # TODO since CDX1.5
-    #
-    # @licensing.setter
-    # def properties(self, ...) -> None:
-    #     ...  # TODO since CDX1.5
+    @property
+    @serializable.view(SchemaVersion1Dot5)
+    @serializable.view(SchemaVersion1Dot6)
+    @serializable.view(SchemaVersion1Dot7)
+    @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'property')
+    @serializable.xml_sequence(6)
+    def properties(self) -> 'SortedSet[Property]':
+        """
+        Provides the ability to document properties in a key/value store. This provides flexibility to include data not
+        officially supported in the standard without having to use additional namespaces or create extensions.
+
+        Return:
+            Set of `Property`
+        """
+        return self._properties
+
+    @properties.setter
+    def properties(self, properties: Iterable[Property]) -> None:
+        self._properties = SortedSet(properties)
 
     @property
     @serializable.view(SchemaVersion1Dot6)
@@ -245,6 +256,7 @@ def __comparable_tuple(self) -> _ComparableTuple:
             self._url,
             self._text,
             self._bom_ref.value,
+            _ComparableTuple(self._properties),
         ))
 
     def __eq__(self, other: object) -> bool:

cyclonedx/model/tool.py

@@ -19,7 +19,6 @@
 from collections.abc import Iterable
 from itertools import chain
 from typing import TYPE_CHECKING, Any, Optional, Union
-from warnings import warn
 from xml.etree.ElementTree import Element  # nosec B405
 
 import py_serializable as serializable
@@ -28,6 +27,7 @@
 
 from .._internal.compare import ComparableTuple as _ComparableTuple
 from ..schema import SchemaVersion
+from ..schema.deprecation import SchemaDeprecationWarning1Dot5
 from ..schema.schema import SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6, SchemaVersion1Dot7
 from . import ExternalReference, HashType, _HashTypeRepositorySerializationHelper
 from .component import Component
@@ -240,9 +240,7 @@ def tools(self) -> 'SortedSet[Tool]':
     @tools.setter
     def tools(self, tools: Iterable[Tool]) -> None:
         if tools:
-            warn('`@.tools` is deprecated from CycloneDX v1.5 onwards. '
-                 'Please use `@.components` and `@.services` instead.',
-                 DeprecationWarning)
+            SchemaDeprecationWarning1Dot5._warn('@.tools', '@.components` and `@.services')
         self._tools = SortedSet(tools)
 
     def __len__(self) -> int:

cyclonedx/schema/deprecation.py

@@ -0,0 +1,129 @@
+# This file is part of CycloneDX Python Library
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+
+"""
+CycloneDX Schema Deprecation Warnings
+=====================================
+
+This module provides warning classes for deprecated features in CycloneDX schemas.
+Each warning class corresponds to a specific schema version, enabling downstream
+code to catch, filter, or otherwise handle schema-specific deprecation warnings.
+
+Intended Usage
+--------------
+
+Downstream consumers can manage warnings using Python's ``warnings`` module.
+Common scenarios include:
+
+- Filtering by schema version
+- Suppressing warnings in tests or batch processing
+- Logging or reporting deprecation warnings without raising exceptions
+
+Example
+-------
+
+.. code-block:: python
+
+    import warnings
+    from cyclonedx.schema.deprecation import (
+        BaseSchemaDeprecationWarning,
+        SchemaDeprecationWarning1Dot7,
+    )
+
+    # Suppress all CycloneDX schema deprecation warnings
+    warnings.filterwarnings("ignore", category=BaseSchemaDeprecationWarning)
+
+    # Suppress only warnings specific to schema version 1.7
+    warnings.filterwarnings("ignore", category=SchemaDeprecationWarning1Dot7)
+
+Notes
+-----
+
+- All deprecation warnings inherit from :class:`BaseSchemaDeprecationWarning`.
+- The ``SCHEMA_VERSION`` class variable indicates the CycloneDX schema version
+  where the feature became deprecated.
+- These warning classes are designed for downstream **filtering and logging**,
+  not for raising exceptions.
+"""
+
+
+from abc import ABC
+from typing import ClassVar, Literal, Optional
+from warnings import warn
+
+from . import SchemaVersion
+
+__all__ = [
+    'BaseSchemaDeprecationWarning',
+    'SchemaDeprecationWarning1Dot1',
+    'SchemaDeprecationWarning1Dot2',
+    'SchemaDeprecationWarning1Dot3',
+    'SchemaDeprecationWarning1Dot4',
+    'SchemaDeprecationWarning1Dot5',
+    'SchemaDeprecationWarning1Dot6',
+    'SchemaDeprecationWarning1Dot7',
+]
+
+
+class BaseSchemaDeprecationWarning(DeprecationWarning, ABC):
+    """Base class for warnings about deprecated schema features."""
+
+    SCHEMA_VERSION: ClassVar[SchemaVersion]
+
+    @classmethod
+    def _warn(cls, deprecated: str, instead: Optional[str] = None, *, stacklevel: int = 1) -> None:
+        """Internal API. Not part of the public interface."""
+        msg = f'`{deprecated}` is deprecated from CycloneDX v{cls.SCHEMA_VERSION.to_version()} onwards.'
+        if instead:
+            msg += f' Please use `{instead}` instead.'
+        warn(msg, category=cls, stacklevel=stacklevel + 1)
+
+
+class SchemaDeprecationWarning1Dot7(BaseSchemaDeprecationWarning):
+    """Class for warnings about deprecated schema features in CycloneDX 1.7"""
+    SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_7]] = SchemaVersion.V1_7
+
+
+class SchemaDeprecationWarning1Dot6(BaseSchemaDeprecationWarning):
+    """Class for warnings about deprecated schema features in CycloneDX 1.6"""
+    SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_6]] = SchemaVersion.V1_6
+
+
+class SchemaDeprecationWarning1Dot5(BaseSchemaDeprecationWarning):
+    """Class for warnings about deprecated schema features in CycloneDX 1.5"""
+    SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_5]] = SchemaVersion.V1_5
+
+
+class SchemaDeprecationWarning1Dot4(BaseSchemaDeprecationWarning):
+    """Class for warnings about deprecated schema features in CycloneDX 1.4"""
+    SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_4]] = SchemaVersion.V1_4
+
+
+class SchemaDeprecationWarning1Dot3(BaseSchemaDeprecationWarning):
+    """Class for warnings about deprecated schema features in CycloneDX 1.3"""
+    SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_3]] = SchemaVersion.V1_3
+
+
+class SchemaDeprecationWarning1Dot2(BaseSchemaDeprecationWarning):
+    """Class for warnings about deprecated schema features in CycloneDX 1.2"""
+    SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_2]] = SchemaVersion.V1_2
+
+
+class SchemaDeprecationWarning1Dot1(BaseSchemaDeprecationWarning):
+    """Class for warnings about deprecated schema features in CycloneDX 1.1"""
+    SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_1]] = SchemaVersion.V1_1