Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change: composer make-bom -> composer CycloneDX:make-sbom #293

Closed
3 tasks done
jkowalleck opened this issue Feb 3, 2023 · 2 comments · Fixed by #314
Closed
3 tasks done

change: composer make-bom -> composer CycloneDX:make-sbom #293

jkowalleck opened this issue Feb 3, 2023 · 2 comments · Fixed by #314
Labels
breaking change
Milestone
v4

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Feb 3, 2023
edited
Loading

Is your feature request related to a problem? Please describe.

Currently, the functionality of this tool is called via composer make-bom.
This make-bom is ambiguous, since multiple tools may register that same command, and multiple "BOM" standards(CDX, SPDX, ...) and use cases or types(SBOM, VEX, ...) exist.
Therefore, it would be better to scope the command and be more precise about the type.

lets give out make-bom command the namespace CycloneDX.
In Composer/Symfony ecosystem namespaces are separated by :.

Describe the solution you'd like

Current functionality is callable via CycloneDX:make-sbom.
README and docs are reflecting the new call method.

Current functionality is still callable via make-bom in current mayor version, which will output a deprecation warning on StdErr stream, before executing the actual functionality.
Current functionality is no longer callable via make-bom in next mayor version.

Describe alternatives you've considered

none

Additional context

Add any other context or screenshots about the feature request here.

status:
@jkowalleck jkowalleck added this to the v4 milestone Feb 3, 2023
@jkowalleck
Copy link
Member Author

jkowalleck commented Feb 10, 2023
edited
Loading

Expected outcome: see at the bottom of the output our command in a separate sectipon

composer list
   ______
  / ____/___  ____ ___  ____  ____  ________  _____
 / /   / __ \/ __ `__ \/ __ \/ __ \/ ___/ _ \/ ___/
/ /___/ /_/ / / / / / / /_/ / /_/ (__  )  __/ /
\____/\____/_/ /_/ /_/ .___/\____/____/\___/_/
                    /_/
Composer version 2.5.2 2023-02-04 14:33:22

Usage:
  command [options] [arguments]

Options:
  -h, --help                     Display help for the given command. When no command is given display help for the list command
  -q, --quiet                    Do not output any message
  -V, --version                  Display this application version
      --ansi|--no-ansi           Force (or disable --no-ansi) ANSI output
  -n, --no-interaction           Do not ask any interactive question
      --profile                  Display timing and memory usage information
      --no-plugins               Whether to disable plugins.
      --no-scripts               Skips the execution of all scripts defined in composer.json file.
  -d, --working-dir=WORKING-DIR  If specified, use the given directory as working directory.
      --no-cache                 Prevent use of the cache
  -v|vv|vvv, --verbose           Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

Available commands:
  about                Shows a short information about Composer
  archive              Creates an archive of this composer package
  audit                Checks for security vulnerability advisories for installed packages
  bin                  Run a command inside a bin namespace
  browse               [home] Opens the package's repository URL or homepage in your browser
  bump                 Increases the lower limit of your composer.json requirements to the currently installed versions
  check-platform-reqs  Check that platform requirements are satisfied
  clear-cache          [clearcache|cc] Clears composer's internal package cache
  completion           Dump the shell completion script
  config               Sets config options
  create-project       Creates new project from a package into given directory
  depends              [why] Shows which packages cause the given package to be installed
  diagnose             Diagnoses the system to identify common errors
  dump-autoload        [dumpautoload] Dumps the autoloader
  exec                 Executes a vendored binary/script
  fund                 Discover how to help fund the maintenance of your dependencies
  global               Allows running commands in the global composer dir ($COMPOSER_HOME)
  help                 Display help for a command
  init                 Creates a basic composer.json file in current directory
  install              [i] Installs the project dependencies from the composer.lock file if present, or falls back on the composer.json
  licenses             Shows information about licenses of dependencies
  list                 List commands
  outdated             Shows a list of installed packages that have updates available, including their latest version
  prohibits            [why-not] Shows which packages prevent the given package from being installed
  reinstall            Uninstalls and reinstalls the given package names
  remove               Removes a package from the require or require-dev
  require              [r] Adds required packages to your composer.json and installs them
  run-script           [run] Runs the scripts defined in composer.json
  search               Searches for packages
  self-update          [selfupdate] Updates composer.phar to the latest version
  show                 [info] Shows information about packages
  status               Shows a list of locally modified packages
  suggests             Shows package suggestions
  update               [u|upgrade] Updates your dependencies to the latest version according to composer.json, and updates the composer.lock file
  validate             Validates a composer.json and composer.lock
 CycloneDX
  CycloneDX:make-sbom  Generate a CycloneDX Bill of Materials from a PHP composer project.

This was referenced Feb 10, 2023
Merged
Closed
Merged
@jkowalleck jkowalleck linked a pull request Feb 11, 2023 that will close this issue
BC: drop deprecated command make-bom #314
Merged
@jkowalleck jkowalleck removed the idea label Feb 13, 2023
@jkowalleck
Copy link
Member Author

ALL DONE

jkowalleck added a commit that referenced this issue Mar 11, 2023
@jkowalleck
v4 features (#250)
c93fa4c 
* BREAKING changes
  * Removed support for PHP `<8.0` ([#91] via [#250])
  * Removed support for PHP `<8.1` (via [#250])
  * Removed support for Composer `<2.3` ([#153] via [#250])
  * CLI
    * Removed deprecated composer command `make-bom`, call `composer CycloneDX:make-sbom` instead ([#293] via [#309])
    * Changed option `output-file` to default to `-` now, which causes to print to STDOUT (via [#250])
    * Removed option `exclude-dev` in favour of new option `omit` (via [#250])
    * Removed option `exclude-plugins` in favour of new option `omit` (via [#250])
    * Removed option `no-version-normalization` ([#102] via [#250])
  * SBOM results
    * Components' version is no longer artificially normalized ([#102] via [#250])
  * Dependencies
    * Requires `cyclonedx/cyclonedx-library:^2.0`, was `:^1.4.2` ([#128] via [#250])
* Changed
  * Evidence analysis prefers actually installed packages over lock file ([#122] via [#250])
  * Root component's versions is unset, if version detection fails ([#154] via [#250])
  * Composer packages of type "composer-installer" are treated as composer plugins (via [#250])
* Added
  * Evidence collection knows actually installed packages ([#122] via [#250])
  * SBOM results
    * Support for CycloneDX Spec v1.4 (via [#250])
    * might have `serialnumber` populated ([#279] via [#250])
    * might have `metadata.timestamp` populated ([#112] via [#250])
    * might have `metadata.tools[].tool.externalReferences` populated ([#171] via [#250])
    * might have `components[].component.author` populated ([#261] via [#250])
    * might have `components[].component.properties` populated according to [`cdx:composer` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/composer.md) (via [#250])
  * CLI
    * New option `omit` (via [#250])
    * New switch `validate` to override `no-validate` (via [#250])
    * New switches `output-reproducible` and `no-output-reproducible` (via [#250])
* Misc
  * Added demo and reproducible continuous integration test "devReq" that is dedicated to composer's `require-dev` feature (via [#250])
  * Reworked demo setups to be more global-install like (via [#250])

[#91]:  #91
[#102]: #102
[#112]: #112
[#122]: #122
[#128]: #128
[#153]: #153
[#154]: #154
[#171]: #171
[#250]: #250
[#261]: #261
[#279]: #279
[#293]: #293
[#309]: #309
[#313]: #313

---------

Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck jkowalleck mentioned this issue Mar 11, 2023
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking change
Projects
None yet
Milestone
v4
Development

Successfully merging a pull request may close this issue.

BC: drop deprecated command make-bom CycloneDX/cyclonedx-php-composer
1 participant
@jkowalleck