✨ Core v1.7 Enablement#37
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR enables CycloneDX specification version selection (default 1.7) across the BOM generation pipeline. Users can now specify their desired spec version via a new --spec-version flag, and the output will conform to that version's schema.
- Added
--spec-versionflag with validation (supports 1.1–1.7, defaults to 1.7) - Updated JSON and XML BOM generation to use the selected spec version
- Refactored path handling to use absolute paths and improved error message formatting
Reviewed Changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| lib/bom_helpers.rb | Added SUPPORTED_SPEC_VERSIONS, cyclonedx_xml_namespace() helper, and propagated spec_version to JSON/XML builders |
| lib/bom_builder.rb | Added --spec-version option parsing, validation, and normalized project path handling; improved backtrace formatting |
| spec/bom_helpers_spec.rb | Added tests verifying spec version is correctly set in JSON and XML outputs |
| spec/spec_helper.rb | Added require 'ostruct' for test utilities |
| features/step_definitions/json_bom_matching.rb | Added .rstrip to normalize trailing whitespace in JSON comparisons |
| features/help.feature | Updated help text to document new --spec-version option |
| features/json_format.feature | Removed trailing blank line |
| features/fixtures/simple/bom.xml.expected | Updated fixture to expect CycloneDX 1.7 namespace |
| features/fixtures/simple/bom.json.expected | Updated fixture to expect specVersion: 1.7 |
| features/fixtures/simple/Gemfile | Pinned gem versions for deterministic test output |
| cyclonedx-ruby.gemspec | Updated cucumber and aruba dev dependencies |
| README.md | Documented new --spec-version flag with examples |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pboling
force-pushed
the
feat/spec-v1.7
branch
from
7774b64 to
f1ca5a7
Compare
pboling
force-pushed
the
feat/spec-v1.7
branch
from
f1ca5a7 to
c4e441c
Compare
pboling
force-pushed
the
feat/spec-v1.7
branch
from
c4e441c to
8be635e
Compare
pboling
force-pushed
the
feat/spec-v1.7
branch
from
2cb9672 to
14e18f3
Compare
pboling
force-pushed
the
feat/spec-v1.7
branch
5 times, most recently
from
d636cf3 to
7b47555
Compare
|
Will do today! |
- Add spec version selection end-to-end with a new --spec-version flag (default 1.7).
- Update JSON and XML outputs to honor the selected spec version.
- Update fixtures, help text, tests, and docs.
Files:
- lib/bom_helpers.rb:
- Added SUPPORTED_SPEC_VERSIONS, cyclonedx_xml_namespace helper.
build_bom now accepts spec_version and routes to:
- build_json_bom(gems, spec_version) sets specVersion to the provided version.
- build_bom_xml(gems, spec_version) sets xmlns to http://cyclonedx.org/schema/bom/<version>.</version>
- lib/bom_builder.rb:
- Added --spec-version with validation; default is 1.7.
- Pass @spec_version into build_bom(@Gems, @bom_output_format, @spec_version).
Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
pboling
force-pushed
the
feat/spec-v1.7
branch
from
7b47555 to
d890056
Compare
|
@jkowalleck rebase complete |
|
@jkowalleck It seems like I should be able to get to the Codacy report somehow but I'm not sure where to find the link to it from the CI results. |
|
LGTM |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Spec version selection | ||
| requested_spec = @options[:spec_version] || '1.7' | ||
| if SUPPORTED_SPEC_VERSIONS.include?(requested_spec) | ||
| @spec_version = requested_spec | ||
| else | ||
| @logger.error("Unrecognized CycloneDX spec version '#{requested_spec}'. Please choose one of #{SUPPORTED_SPEC_VERSIONS}") | ||
| abort | ||
| end |
There was a problem hiding this comment.
The new spec version validation logic lacks test coverage. While other features like format validation have integration tests in the features directory (e.g., xml_format.feature, json_format.feature), there are no tests verifying the spec version flag behavior, such as testing that an invalid version is rejected or that a valid version like 1.3 produces the correct output with the appropriate namespace/version.
| def cyclonedx_xml_namespace(spec_version) | ||
| "http://cyclonedx.org/schema/bom/#{spec_version}" | ||
| end |
There was a problem hiding this comment.
The new cyclonedx_xml_namespace helper method lacks test coverage. Similar to how the purl method has unit tests in bom_helpers_spec.rb, this new method should have tests verifying it correctly constructs namespace URLs for different spec versions.
--spec-versionflag (default 1.7).NOTE:
bom-ref,publisher,metadata.tools,dependenciesare optional and can be added incrementally.Files:
lib/bom_helpers.rb:SUPPORTED_SPEC_VERSIONS,cyclonedx_xml_namespacehelper.build_bomnow acceptsspec_versionand routes to:build_json_bom(gems, spec_version)sets specVersion to the provided version.build_bom_xml(gems, spec_version)sets xmlns to http://cyclonedx.org/schema/bom/.lib/bom_builder.rb:--spec-versionwith validation; default is 1.7.@spec_versionintobuild_bom(@gems, @bom_output_format, @spec_version).