feat!: v4.0.0

[jkowalleck]

This is the main PR for all release 4.0.0 work.
See progress: https://github.com/CycloneDX/cyclonedx-python/milestone/3

---

Changelog

See also the migration guide in the docs.

• BC: Removed support for python < 3.8
• BC: Removed deprecated shell script cyclonedx-bom; use cyclonedx-py instead
• BC: Removed conda support. However, conda's Python environments are fully supported. See below.
• BC: Removed public API. You may use the CLI instead, see chapter "usage" in the docs.
• BC: Complete redesign of the CommandLineInterface(CLI):
  • Uses sub-commands for easy accessibility and divide in specific purposes and domains
  • Easy understandable flags, switches and options -- in accordance with the domains
  • Updated help pages, added usage examples
• Dozens of new features and fixes, such as:
  • environment analyzer supports any Python (virtual) environment --
    including support for, but not limited to: conda, Hatch, PDM, Pipenv, Poetry, venv, virtualenv
  • Poetry analyzer support groups, filtering, and such
  • Pipenv analyzer support categories, filtering, and such
  • requirements analyzer is feature complete and fixed
  • More details in the SBOM results (based on method)
  • PackageURLs may have more qualifiers (enabled per default, disable via --short-PURLs)
  • component properties according to official taxonomy
  • SBOM results may be validated (enabled per default, disable via --no-validate)
  • SBOM results may have dependency graph populated (if supported by method - applies to environment and Poetry)
  • SBOM results may have root-component populated (if pyproject provided)
  • SBOM results are more diff-friendly and not just one long line of text
  • Fixed possible issues with input data encoding
  • May omit dev-dependencies or domain-specific groups/categories (if supported by method and issued by CLI switches)
  • Strip authentication secrets from (private) download/index URLs
  • Support CycloneDX 1.5 - which is the default now
• Upgraded documentation, examples, ...
• Complete rewrite from scratch
• Dependencies were bumped, dropped, added, ...
• QA and test suites were massively enhanced

Documentation

see https://cyclonedx-bom-tool.readthedocs.io/en/dev-4.0.0/

Release Candidate

Release candidates are available from PyPI:

python -m pip install cyclonedx-bom==4.0.0rc6   # install via pip
pipx install          cyclonedx-bom==4.0.0rc6   # install via pipx
poetry add            cyclonedx-bom==4.0.0rc6   # install via poetry
# ... you get the idea ...

Release candidates are available from dockerhub:

docker pull cyclonedx/cyclonedx-python:4.0.0-rc.6

---

Includes/fixes/invalidates:

• Feat: dependency graph in SBOM result #40
• chore: publish SBOM of docker image #289
• fix return type of client.CycloneDxCmd.execute and use of exit #325
• [FEATURE] Better and more complete parsing for requirements.txt files #349
• feat: SPDX license instead of expression #378
• feat: Populate bom.metadata.component #391
• CycloneDX gives odd versions and PURLs #398
• feat: environment licenses as proper SPDX #459
• Feat: omit development dependencies from SBOM results #474
• Feat: option to use an alternative python environment #475
• BC: remove deprecated command cyclonedx-bom #488
• chore: fix poetry lock file #491
• chore: use mypy: ^1.0 #500
• Upgrade cyclonedx-python-lib to 4.0.x #520
• [BREAKING] Drop support for Python 3.6 #522
• [CHORE] Upgrade to poetry 1.4.x #523
• When using Poetry lockfile, allow users to select dependency group(s) #580
• BC: providers are subcommands #586
• feat: SBOM from conda-lock.yml file #594
• BC: make all internal #606
• support CycloneDX 1.5 #617
• BC: drop support for conda #622
• feat: strip authentication secrets from private index/download URL #646
• fix: v4 poetry missing transitive deps?  #651

---

coverage report here: #605 (comment)

[jkowalleck]

re #605 (comment)

@JCHacking thank you for your time and effort :-)