v4 features (#250)

* BREAKING changes
  * Removed support for PHP `<8.0` ([#91] via [#250])
  * Removed support for PHP `<8.1` (via [#250])
  * Removed support for Composer `<2.3` ([#153] via [#250])
  * CLI
    * Removed deprecated composer command `make-bom`, call `composer CycloneDX:make-sbom` instead ([#293] via [#309])
    * Changed option `output-file` to default to `-` now, which causes to print to STDOUT (via [#250])
    * Removed option `exclude-dev` in favour of new option `omit` (via [#250])
    * Removed option `exclude-plugins` in favour of new option `omit` (via [#250])
    * Removed option `no-version-normalization` ([#102] via [#250])
  * SBOM results
    * Components' version is no longer artificially normalized ([#102] via [#250])
  * Dependencies
    * Requires `cyclonedx/cyclonedx-library:^2.0`, was `:^1.4.2` ([#128] via [#250])
* Changed
  * Evidence analysis prefers actually installed packages over lock file ([#122] via [#250])
  * Root component's versions is unset, if version detection fails ([#154] via [#250])
  * Composer packages of type "composer-installer" are treated as composer plugins (via [#250])
* Added
  * Evidence collection knows actually installed packages ([#122] via [#250])
  * SBOM results
    * Support for CycloneDX Spec v1.4 (via [#250])
    * might have `serialnumber` populated ([#279] via [#250])
    * might have `metadata.timestamp` populated ([#112] via [#250])
    * might have `metadata.tools[].tool.externalReferences` populated ([#171] via [#250])
    * might have `components[].component.author` populated ([#261] via [#250])
    * might have `components[].component.properties` populated according to [`cdx:composer` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/composer.md) (via [#250])
  * CLI
    * New option `omit` (via [#250])
    * New switch `validate` to override `no-validate` (via [#250])
    * New switches `output-reproducible` and `no-output-reproducible` (via [#250])
* Misc
  * Added demo and reproducible continuous integration test "devReq" that is dedicated to composer's `require-dev` feature (via [#250])
  * Reworked demo setups to be more global-install like (via [#250])

[#91]:  #91
[#102]: #102
[#112]: #112
[#122]: #122
[#128]: #128
[#153]: #153
[#154]: #154
[#171]: #171
[#250]: #250
[#261]: #261
[#279]: #279
[#293]: #293
[#309]: #309
[#313]: #313

---------

Signed-off-by: Jan Kowalleck <[email protected]>

.gitattributes

@@ -1,34 +1,33 @@
-* text=auto
+* text=auto eol=lf
 
-*.txt         text eol=lf
-*.md          text eol=lf diff=markdown
-*.php         text eol=lf diff=php
-*.json        text eol=lf diff=json
-*.xml         text eol=lf diff=xml
-*.xml.dist    text eol=lf diff=xml
-*.xsd         text eol=lf diff=xml
-*.neon        text eol=lf diff=yaml
-*.neon.dist   text eol=lf diff=yaml
-composer.lock text eol=lf diff=json
+*.txt           text eol=lf
+*.md            text eol=lf diff=markdown
+*.php           text eol=lf diff=php
+*.json          text eol=lf diff=json
+*.xml           text eol=lf diff=xml
+*.xml.dist      text eol=lf diff=xml
+*.xsd           text eol=lf diff=xml
+*.neon          text eol=lf diff=yaml
+*.neon.dist     text eol=lf diff=yaml
+composer.lock   text eol=lf diff=json
 
 # files that are not bundled into the "dist" release are marked `export-ignore`
-.gitattributes          export-ignore
-.gitignore              export-ignore
-.editorconfig           export-ignore
-/.github                export-ignore
-/tests                  export-ignore
-/tools                  export-ignore
-/.php-cs-fixer.dist.php export-ignore
-/phpunit.xml.dist       export-ignore
-/psalm.xml.dist         export-ignore
-/.psalm                 export-ignore
-/HISTORY.md             export-ignore
-/CODEOWNERS             export-ignore
-/CONTRIBUTING.md        export-ignore
-/demo                   export-ignore
-/docs/dev               export-ignore
+/CODEOWNERS                     export-ignore
+/CONTRIBUTING.md                export-ignore
+.gitattributes                  export-ignore
+.gitignore                      export-ignore
+.editorconfig                   export-ignore
+/.*                             export-ignore
+/demo                           export-ignore
+/docs/dev                       export-ignore
+/tests                          export-ignore
+/tools                          export-ignore
+/composer-require-checker.json  export-ignore
+/phpunit.dist.xml               export-ignore
+/psalm.xml.dist                 export-ignore
 
-# files that are forced to be exported in "dist" releaes
-/NOTICE                 -export-ignore
-/LICENSE                -export-ignore
-/semver.txt             -export-ignore
+# files that are forced to be exported in "dist" releases
+/README.*       -export-ignore
+/NOTICE         -export-ignore
+/LICENSE        -export-ignore
+/semver.txt     -export-ignore

.github/FUNDING.yml

@@ -0,0 +1,10 @@
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+
+## copied from https://github.com/CycloneDX/.github/blob/master/FUNDING.yml
+custom:
+  - "https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX"
+
+## project extras
+github:
+  - jkowalleck
+

.github/dependabot.yml

@@ -73,6 +73,20 @@ updates:
       prefix: 'tools'
       include: 'scope'
     open-pull-requests-limit: 999
+  - directory: '/tools/phpunit'
+    package-ecosystem: 'composer'
+    schedule:
+      interval: 'weekly'
+      day: 'saturday'
+    allow:
+      - dependency-type: 'all'
+    versioning-strategy: 'auto'
+    labels: [ 'dependencies', 'tools' ]
+    commit-message:
+      ## prefix maximum string length of 15
+      prefix: 'tools'
+      include: 'scope'
+    open-pull-requests-limit: 999
   - directory: '/tools/psalm'
     package-ecosystem: 'composer'
     schedule:

.github/workflows/demo.yml

@@ -4,18 +4,21 @@ name: DEMO
 
 # @TODO make this an integration test
 
+
 on:
   push:
-    branches: ["master"]
-    paths-ignore:
-      - 'docs/**'
-      - 'tests/**'
-      - 'tools/**'
+    branches: ["master", "next"]
+    paths:
+      - '.github/workflows/demo.yml'
+      - 'src/**'
+      - 'demo/**'
+      - 'composer.*'
   pull_request:
-    paths-ignore:
-      - 'docs/**'
-      - 'tests/**'
-      - 'tools/**'
+    paths:
+      - '.github/workflows/demo.yml'
+      - 'src/**'
+      - 'demo/**'
+      - 'composer.*'
   workflow_dispatch:
   schedule:
     # schedule weekly tests, since dependencies are not intended to be pinned
@@ -26,71 +29,69 @@ env:
   PHP_VERSION_LATEST: "8.2"
   PHP_PROJECT_EXT: dom,filter,json,libxml # via `composer info -pt` and removed dev req
   REPORTS_DIR: CI_reports
+  DEMO_TOOL_PATH: demo/.tool
+  CDX_CP_TOOLS_VERSION_OVERRIDE: in-dev
+  CDX_CP_TOOLS_EXCLUDE_LIBS: 1
 
 jobs:
   reproducible:
     name: >
-      Reproducible "${{ matrix.subject }}"
+      R: "${{ matrix.subject }}"
       (${{ matrix.spec-version }}
       ${{ matrix.output-format }},
-      composer${{ matrix.composer }}
-      php${{ matrix.php }},
+      c${{ matrix.composer }}
+      p${{ matrix.php }},
+      i:${{ matrix.install }}
       stdout:${{ matrix.stdout }})
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 10
     env:
       REPORTS_ARTIFACT: demo-reproducible
     strategy:
       fail-fast: false
       matrix:
         subject: # list of reproducible demos
+          - devReq
           - laravel-7.12.0
           - local
         php:
-          - "8.2" # latest
-          - "7.3" # lowest supported
+          - "8.2"  # latest
+          - "8.1"  # lowest supported
         composer:
-          - "2"     # latest 2.x
-          - "2.3"   # latest 2.3
-          - "2.2"   # latest 2.2
-          - "2.1"   # latest 2.1
-          - "2.0"   # latest 2.0 = lowest supported
+          - "v2"   # latest 2.x
+          - "2.3"  # latest 2.3 = lowest supported
         output-format:
           # lowercase the format, since it is also used as a file extension when searching the original file
           - xml
           - json
         spec-version:
-          # - "1.4" via a later version of the CDX lib
+          - "1.4"
           - "1.3"
           - "1.2"
           - "1.1"
           # - "1.0" # not implemented
         stdout: [ false ]
+        install: [ true , false ]
         exclude:
           # exclude unsupported combinations: json is defined in spec >= 1.2
           - output-format: json
             spec-version: "1.0"
           - output-format: json
             spec-version: "1.1"
-          # exclude broken combinations due to env issues
-          - php: "8.2"
-            composer: "2.0"
-          - php: "8.1"
-            composer: "2.0"
         include:
           - # test with lowest combination
-            php: "7.3"        # lowest
-            composer: "2.0.0" # lowest
+            php: "8.1"          # lowest
+            composer: "2.3.0"   # lowest
             # any other props
-            spec-version: "1.3"
+            spec-version: "1.4"
             subject: laravel-7.12.0
             output-format: xml
             stdout: false
-          - # test if stdout receives no data except the SBOM
-            stdout: true # TRUE
-            php: "8.2"          # latest
-            composer: "2"       # latest
-            spec-version: "1.3" # latest
+          - # test if STDOUT receives no data except the SBOM
+            stdout: true  # << the subject of this test-case
+            php: "8.2"           # latest
+            composer: "v2"       # latest
+            spec-version: "1.4"  # latest
             # any other props
             subject: laravel-7.12.0
             output-format: xml
@@ -101,59 +102,79 @@ jobs:
       - name: Setup paths and folders
         run: |
           PWD="$(pwd -P)"
-          OUT_FILE="${{ matrix.subject }}_php${{ matrix.php }}_composer${{ matrix.composer }}_bom.${{ matrix.spec-version }}.${{ matrix.output-format }}"
-          COMPARE_FILE="bom.${{ matrix.spec-version }}.${{ matrix.output-format }}"
-          DEMO_RUN_DIR="demo/${{ matrix.subject }}"
-          echo "DEMO_RUN_DIR=$DEMO_RUN_DIR" >> $GITHUB_ENV
+          OUT_FILE='${{ matrix.subject }}_php${{ matrix.php }}_composer${{ matrix.composer }}_bom.${{ matrix.spec-version }}.${{ matrix.output-format }}'
+          COMPARE_FILE='bom.${{ matrix.spec-version }}.${{ matrix.output-format }}'
+          DEMO_SUBJECT_DIR="$PWD"'/demo/${{ matrix.subject }}'
+          echo "DEMO_PROJECT_DIR=$DEMO_SUBJECT_DIR/project" >> $GITHUB_ENV
           REPORTS_DIR_PATH="$PWD/$REPORTS_DIR"
-          mkdir -p "$REPORTS_DIR_PATH/${{ matrix.subject }}"
+          mkdir -p "$REPORTS_DIR_PATH"/'${{ matrix.subject }}'
           echo "REPORTS_DIR_PATH=$REPORTS_DIR_PATH" >> $GITHUB_ENV
           echo "OUT_FILE_PATH=$REPORTS_DIR_PATH/$OUT_FILE" >> $GITHUB_ENV
-          echo "COMPARE_FILE_PATH=$PWD/$DEMO_RUN_DIR/results/$COMPARE_FILE" >> $GITHUB_ENV
+          echo "COMPARE_FILE_PATH=$DEMO_SUBJECT_DIR/results/$COMPARE_FILE" >> $GITHUB_ENV
+      - name: Setup OMIT "dev"
+        run: |
+          OMIT_RULES=''
+          if [ '${{ matrix.subject}}' != 'devReq' ]; then
+            OMIT_RULES="$OMIT_RULES --omit=dev"
+          fi
+          echo "OMIT_RULES=$OMIT_RULES" >> $GITHUB_ENV
       - name: Setup PHP
         # see https://github.com/shivammathur/setup-php
         uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php }}
           extensions: ${{ env.PHP_PROJECT_EXT }}
-          tools: composer:v${{ matrix.composer }}
+          tools: composer:${{ matrix.composer }}
           coverage: none
       - name: Get composer cache directory
         id: composer-cache
-        working-directory: ${{ env.DEMO_RUN_DIR }}/project
-        run: echo "::set-output name=dir::$(composer config cache-files-dir)"
+        working-directory: ${{ env.DEMO_PROJECT_DIR }}
+        shell: bash
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
       - name: Cache dependencies
         # see https://github.com/actions/cache
         uses: actions/cache@v3
         with:
           path: ${{ steps.composer-cache.outputs.dir }}
-          key: composer-${{ github.job }}-${{ matrix.subject }}-${{ runner.os }}-${{ matrix.php }}-${{ hashFiles('demo/**/composer.lock') }}
+          key: composer-${{ github.job }}-${{ matrix.subject }}-php${{ matrix.php }}-${{ hashFiles('composer.*', 'demo/*/project/composer.*') }}
           restore-keys: |
-            composer-${{ github.job }}-${{ matrix.subject }}-${{ runner.os }}-${{ matrix.php }}-
-            composer-${{ github.job }}-${{ matrix.subject }}-${{ runner.os }}-
-      - name: Install dependencies
-        working-directory: ${{ env.DEMO_RUN_DIR }}/project
-        run: composer install --prefer-dist --no-interaction --no-progress
+            composer-${{ github.job }}-${{ matrix.subject }}-php${{ matrix.php }}-
+            composer-${{ github.job }}-${{ matrix.subject }}-
+      - name: Install composer plugin
+        working-directory: ${{ env.DEMO_TOOL_PATH }}
+        run: composer install
+      - name: Install project dependencies & kick lockfile
+        if: ${{ matrix.install }}
+        working-directory: ${{ env.DEMO_PROJECT_DIR }}
+        run: |
+          composer setup
+          rm composer.lock
       - name: Make SBOM to file
         if: ${{ ! matrix.stdout }}
-        working-directory: ${{ env.DEMO_RUN_DIR }}/project
+        working-directory: ${{ env.DEMO_TOOL_PATH }}
         run: >
           composer CycloneDX:make-sbom
           -vvv
-          --exclude-dev
+          $OMIT_RULES
           --spec-version=${{ matrix.spec-version }}
+          --output-reproducible
           --output-format=${{ matrix.output-format }}
           --output-file="$OUT_FILE_PATH"
+          --
+          ${{ env.DEMO_PROJECT_DIR }}/composer.json
       - name: Make SBOM to STDOUT
         if: ${{ matrix.stdout }}
-        working-directory: ${{ env.DEMO_RUN_DIR }}/project
+        working-directory: ${{ env.DEMO_TOOL_PATH }}
         run: >
           composer CycloneDX:make-sbom
           -vvv
-          --exclude-dev
+          $OMIT_RULES
           --spec-version=${{ matrix.spec-version }}
+          --output-reproducible
           --output-format=${{ matrix.output-format }}
           --output-file=-
+          --
+          ${{ env.DEMO_PROJECT_DIR }}/composer.json
           > "$OUT_FILE_PATH"
       - name: Compare reproducible SBOM
         run: >

.github/workflows/php-dev.yml

@@ -4,18 +4,16 @@ name: Assure PHP Dev Setup
 
 on:
   push:
-    branches: ["master"]
+    branches: ["master", "next"]
     paths:
       - '.github/workflows/php-dev.yml'
       - 'tools/**'
-      - 'composer.json'
-      - 'composer.lock'
+      - 'composer.*'
   pull_request:
     paths:
       - '.github/workflows/php-dev.yml'
       - 'tools/**'
-      - 'composer.json'
-      - 'composer.lock'
+      - 'composer.*'
   workflow_dispatch:
   schedule:
     # schedule weekly tests, since dependencies are not intended to be pinned
@@ -24,23 +22,19 @@ on:
 
 env:
   PHP_VERSION_LATEST: "8.2"
-  PHP_PROJECT_EXT: dom,filter,json,libxml,simplexml  # via `composer info -pt`
+  PHP_PROJECT_EXT: dom,json,libxml  # via `composer info -pt`
 
 jobs:
-  asure-dev-setup:
-    name: DevSetup (${{ matrix.os}}, ${{ matrix.php }}, ${{ matrix.dependencies }})
+  assure-dev-setup:
+    name: DevSetup (${{ matrix.os}}, ${{ matrix.php }})
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         os: [ "ubuntu-latest", "macos-latest", "windows-latest" ]
         php:
           - "8.2" # highest supported
-          - "8.1"
-          - "8.0"
-          - "7.4"
-          ## below is a list of versions the project supports on runtime - but not on dev-time
-          # - "7.3" # lowest supported
+          - "8.1" # lowest supported
     timeout-minutes: 30
     steps:
       - name: Checkout
@@ -52,19 +46,19 @@ jobs:
         with:
           php-version: ${{ matrix.php }}
           extensions: ${{ env.PHP_PROJECT_EXT }}
-          tools: composer:v2
+          tools: 'composer:v2'
       - name: Get composer cache directory
         id: composer-cache
-        run: echo "::set-output name=dir::$(composer config cache-files-dir)"
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+        shell: bash
       - name: Cache dependencies
         # see https://github.com/actions/cache
         uses: actions/cache@v3
         with:
           path: ${{ steps.composer-cache.outputs.dir }}
-          key: composer-${{ github.job }}-${{ runner.os }}-${{ matrix.php }}-${{ matrix.dependencies }}-${{ hashFiles('**/composer.json') }}
+          key: composer-${{ github.job }}-${{ runner.os }}-php${{ matrix.php }}-${{ hashFiles('composer.*', 'tools/*/composer.*') }}
           restore-keys: |
-            composer-${{ github.job }}-${{ runner.os }}-${{ matrix.php }}-${{ matrix.dependencies }}-
-            composer-${{ github.job }}-${{ runner.os }}-${{ matrix.php }}-
+            composer-${{ github.job }}-${{ runner.os }}-php${{ matrix.php }}-
             composer-${{ github.job }}-${{ runner.os }}-
       - name: Dev-Setup
         run: >