SBOM::CycloneDX 1.7

giterlizzi · giterlizzi · commit cf70504d304d · 2026-01-21T17:22:43.000+01:00
diff --git a/.github/workflows/perltest.yml b/.github/workflows/perltest.yml
@@ -1,17 +1,12 @@
-# This is a basic workflow to help you get started with Actions
-
 name: CI
 
-# Controls when the action will run. Triggers the workflow on push or pull request
-# events but only for the main branch
 on:
   push:
     branches: [ 'main', 'develop' ]
   pull_request:
     branches: [ 'main' ]
   workflow_dispatch:
 
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   build:
     runs-on: ${{ matrix.os }}
@@ -30,7 +25,6 @@ jobs:
       - run: cpanm Module::Install
       - run: cpanm -n --installdeps .
       - run: prove -lv t
-
   coverage:
     runs-on: ubuntu-latest
     container: davorg/perl-coveralls:latest
diff --git a/Changes b/Changes
@@ -1,6 +1,6 @@
 Change history for SBOM::CycloneDX
 
-1.0? 2026-01-??
+1.07 2026-01-21
     - Improved support for CycloneDX 1.7 (https://cyclonedx.org/docs/1.7/json/)
     - Improved documentations
     - Improved ENUM classes
diff --git a/lib/SBOM/CycloneDX.pm b/lib/SBOM/CycloneDX.pm
@@ -30,7 +30,7 @@ use constant JSON_SCHEMA_1_5 => 'http://cyclonedx.org/schema/bom-1.5.schema.json
 use constant JSON_SCHEMA_1_6 => 'http://cyclonedx.org/schema/bom-1.6.schema.json';
 use constant JSON_SCHEMA_1_7 => 'http://cyclonedx.org/schema/bom-1.7.schema.json';
 
-our $VERSION = 1.06_2;
+our $VERSION = 1.07;
 
 our %JSON_SCHEMA = (
     '1.2' => JSON_SCHEMA_1_2,
@@ -327,15 +327,15 @@ SBOM::CycloneDX - CycloneDX Perl Library
 
 =head1 DESCRIPTION
 
-L<SBOM::CycloneDX> is a library for generate valid CycloneDX BOM file.
+L<SBOM::CycloneDX> is a library for generate valid OWASP CycloneDX BOM file.
 
-CycloneDX (ECMA-424) is a modern standard for the software supply chain. At its core,
-CycloneDX is a general-purpose Bill of Materials (BOM) standard capable of
-representing software, hardware, services, and other types of inventory.
-The CycloneDX standard began in 2017 in the Open Worldwide Application Security
-Project (OWASP) community. CycloneDX is an OWASP flagship project, has a formal
-standardization process and governance model, and is supported by the global
-information security community.
+OWASP CycloneDX (ECMA-424) is a modern standard for the software supply chain. 
+At its core, CycloneDX is a general-purpose Bill of Materials (BOM) standard 
+capable of representing software, hardware, services, and other types of 
+inventory. The CycloneDX standard began in 2017 in the Open Worldwide 
+Application Security Project (OWASP) community. CycloneDX is an OWASP flagship 
+project, has a formal standardization process and governance model, and is 
+supported by the global information security community.
 
 CycloneDX far exceeds the L<Minimum Elements for Software Bill of Materials|https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf>
 as defined by the L<National Telecommunications and Information Administration (NTIA)|https://www.ntia.gov/>
@@ -661,6 +661,8 @@ This is the class hierarchy of the L<SBOM::CycloneDX> distribution.
 
 =item * L<SBOM::CycloneDX::List>
 
+=item * L<SBOM::CycloneDX::Lite>
+
 =item * L<SBOM::CycloneDX::Timestamp>
 
 =item * L<SBOM::CycloneDX::Util>
@@ -676,6 +678,26 @@ and implements the following new ones.
 
 =item SBOM::CycloneDX->new( %PARAMS )
 
+Create new CycloneDX instance.
+
+    my $bom = SBOM::CycloneDX->new(
+        spec_version  => '1.5',
+        version       => 1,
+        serial_number => $serial_number
+    );
+
+    $bom->components->add($component);
+
+    say $bom;
+
+=item $bom->spec_version
+
+The version of the CycloneDX specification the BOM conforms to.
+
+Default version is B<1.7>.
+
+    $bom->spec_version('1.5');
+
 =item $bom->version
 
 Whenever an existing BOM is modified, either manually or through
@@ -684,6 +706,15 @@ incremented by 1. When a system is presented with multiple BOMs
 with identical serial numbers, the system SHOULD use the most
 recent version of the BOM. The default version is '1'.
 
+=item $bom->serial_number
+
+Every BOM generated SHOULD have a unique serial number, even if the contents of 
+the BOM have not changed over time. If specified, the serial number must 
+conform to L<RFC 4122|https://www.ietf.org/rfc/rfc4122.html>. Use of serial 
+numbers is recommended.
+
+    $bom->serial_number('urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79');
+
 =item $bom->metadata
 
 Provides additional information about a BOM.
@@ -857,7 +888,7 @@ Return L<SBOM::CycloneDX::List> with a list of vulnerabilities with the same C<b
 
 Return L<SBOM::CycloneDX::List> with a list of components affected with the same C<cve_id>.
 
-    say $_->bom_ref for($bom->get_affected_components_by_cve('CVE-2025-1234')->list);
+    say $_->bom_ref for($bom->get_affected_components_by_cve('CVE-2025-12345')->list);
 
 =item $bom->validate
 
@@ -882,6 +913,12 @@ Encode in JSON.
 
     say "$bom";
 
+=item $bom->to_hash
+
+Convert BOM object in HASH.
+
+    my $hashref = $bom->to_hash;
+
 =item $bom->TO_JSON
 
 Encode in JSON.
diff --git a/lib/SBOM/CycloneDX/Base.pm b/lib/SBOM/CycloneDX/Base.pm
@@ -25,8 +25,11 @@ sub to_string {
 sub to_hash {
 
     my $self = shift;
+
     my $json = $self->to_string;
-    return Cpanel::JSON::XS->new->decode($json);
+    my $hash = Cpanel::JSON::XS->new->decode($json);
+
+    return $hash;
 
 }
 
diff --git a/lib/SBOM/CycloneDX/Enum.pm b/lib/SBOM/CycloneDX/Enum.pm
@@ -129,13 +129,26 @@ SBOM::CycloneDX::Enum - Enumeration
 
     use SBOM::CycloneDX::Enum;
 
-    say $_ for (@{SBOM::CycloneDX::Enum->SPDX_LICENSES})
+    say $_ for (@{ SBOM::CycloneDX::Enum->SPDX_LICENSES });
+
+
+    say $_ for (@{ SBOM::CycloneDX::Enum->values('EXTERNAL_REFERENCE_TYPE') });
 
 =head1 DESCRIPTION
 
 L<SBOM::CycloneDX::Enum> is internal class used by L<SBOM::CycloneDX>.
 
 
+=head1 METHODS
+
+=over
+
+=item SBOM::CycloneDX::Enum->values( $CONSTANT )
+
+Return the provided C<CONSTANT> Enum values.
+
+=back
+
 =head1 CONSTANTS
 
 =over
