Are there plans to add support for 1.5?

Hi @paulkoko, yes it is planned and I'm working on it. Just scrambling for time to complete it currently.

A good chunk is already done in #90, and some tiny parts are already merged to master.

Hi, any updates on this progress?
(Trivy defaults to 1.5 in its output since Jun 30 - which we are unable to consume currently)

Hey @niclas-g, I really want to get this done but am a bit time constrained with other priorities right now.

If you're willing and able to, you could help by either contributing missing parts in #90, or alternatively test the changes that currently exist in that branch, and let me know of any issues you run into.

If you have an existing code base you could test on with v1.5 BOMs, that'd be super helpful.

When you say you can't consume BOMs generated by Trivy, is it that info is being dropped, or is decoding failing entirely?

If you're willing and able to, you could help by either contributing missing parts in #90, or alternatively test the changes that currently exist in that branch, and let me know of any issues you run into.

If you have an existing code base you could test on with v1.5 BOMs, that'd be super helpful.

I'll be happy to test against our codebase, I'll see if I can put some time towards it this week or next.

When you say you can't consume BOMs generated by Trivy, is it that info is being dropped, or is decoding failing entirely?

Decoding fails entirely, it returns an ErrInvalidSpecVersion here when it discovers that it's an unsupported version.

@niclas-g Decoding fails entirely, it returns an ErrInvalidSpecVersion here when it discovers that it's an unsupported version.

Ah, I see. This is technically fixed in master already

For a short-term "solution" I could cut a v0.7.2 release, so that at least decoding works again. Would that help?

@nscuro, that would be great!

@niclas-g Here we go: https://github.com/CycloneDX/cyclonedx-go/releases/tag/v0.7.2

Would still very much appreciate it if you could also test the spec-v1.5 branch with your code base! :)

Thanks @nscuro! I'll have a look at the release shortly and try out the branch against our code base next week.

Ok, now I have had some time to test the spec-v1.5 branch against our codebase and it runs without any problems @nscuro . That said we are not looking at anything new introduced in the 1.5 version yet. But the branch doesn't break our application so we are happy :) Keep up the good work! 👍

Is there a list of 1.5 features that are not yet supported? For example

• modelcard
• data
• signature
• additionalProperties
• attachment
• hash-alg
• condition

I am concerned about Metadata.Tools, https://github.com/CycloneDX/cyclonedx-go/blob/master/cyclonedx.go#L439

• In v1.4, tools is an array https://cyclonedx.org/docs/1.4/json/#metadata_tools
• In v1.5, tools is an object https://cyclonedx.org/docs/1.5/json/#metadata_tools_oneOf_i0_components

It seems like it will not be possible to deserialize both 1.4 and 1.5 SBOMs into the same structure without a custom deserializer.

Handling Metadata.tools discussion is in #115