Release Notes
Fixed
- Do not include a license file if SPDX license identifiers are present, fixing a spec compliance issue which doesn't allow both at once ([#826])
- Do not include subcomponents in
metadata.componentwhen describing individual build artifacts (as opposed to an entire crate), fixing interoperability with some CycloneDX deserializing libraries ([#828])
Install cargo-cyclonedx 0.5.8
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.8/cargo-cyclonedx-installer.sh | shInstall prebuilt binaries via powershell script
powershell -ExecutionPolicy Bypass -c "irm https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.8/cargo-cyclonedx-installer.ps1 | iex"Download cargo-cyclonedx 0.5.8
| File | Platform | Checksum |
|---|---|---|
| cargo-cyclonedx-aarch64-apple-darwin.tar.xz | Apple Silicon macOS | checksum |
| cargo-cyclonedx-x86_64-apple-darwin.tar.xz | Intel macOS | checksum |
| cargo-cyclonedx-x86_64-pc-windows-msvc.zip | x64 Windows | checksum |
| cargo-cyclonedx-aarch64-unknown-linux-gnu.tar.xz | ARM64 Linux | checksum |
| cargo-cyclonedx-x86_64-unknown-linux-gnu.tar.xz | x64 Linux | checksum |
| cargo-cyclonedx-x86_64-unknown-linux-musl.tar.xz | x64 MUSL Linux | checksum |
Verifying GitHub Artifact Attestations
The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:
gh attestation verify <file-path of downloaded artifact> --repo CycloneDX/cyclonedx-rust-cargoYou can also download the attestation from GitHub and verify against that directly:
gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>