Spec 1.5 is not supported

[andreycha]

I'm using CLI to merge BOM files produces by several different CycloneDX tools. Some of them already generate BOM of version 1.5 and I merge throws an exception:

Unhandled exception: System.ArgumentException: Unsupported specification version: 1.5
        at CycloneDX.Models.Bom.set_SpecVersionString(String value)
        at System.Text.Json.Serialization.Metadata.JsonPropertyInfo`1.ReadJsonAndSetMember(Object , ReadStack& , Utf8JsonReader& )
        at System.Text.Json.Serialization.Converters.ObjectDefaultConverter`1.OnTryRead(Utf8JsonReader& , Type , JsonSerializerOptions , ReadStack& , T& )
        at System.Text.Json.Serialization.JsonConverter`1.TryRead(Utf8JsonReader& , Type , JsonSerializerOptions , ReadStack& , T& )
        at System.Text.Json.Serialization.JsonConverter`1.ReadCore(Utf8JsonReader& , JsonSerializerOptions , ReadStack& )
        at System.Text.Json.JsonSerializer.ReadCore[TValue](JsonConverter , Utf8JsonReader& , JsonSerializerOptions , ReadStack& )
        at System.Text.Json.JsonSerializer.ReadCore[TValue](JsonReaderState& , Boolean , ReadOnlySpan`1 , JsonSerializerOptions , ReadStack& , JsonConverter )
        at System.Text.Json.JsonSerializer.ContinueDeserialize[TValue](ReadBufferState& , JsonReaderState& , ReadStack& , JsonConverter , JsonSerializerOptions )
        at System.Text.Json.JsonSerializer.ReadAllAsync[TValue](Stream , JsonTypeInfo , CancellationToken )
        at CycloneDX.Json.Serializer.DeserializeAsync(Stream jsonStream)
        at CycloneDX.Cli.CliUtils.InputBomHelper(String filename, CycloneDXBomFormat format)
        at CycloneDX.Cli.Commands.MergeCommand.InputBoms(IEnumerable`1 inputFilenames, CycloneDXBomFormat inputFormat, Boolean outputToConsole)
        at CycloneDX.Cli.Commands.MergeCommand.Merge(MergeCommandOptions options)
        at System.CommandLine.Invocation.CommandHandler.GetExitCodeAsync(Object value, InvocationContext context)
        at System.CommandLine.Invocation.ModelBindingCommandHandler.InvokeAsync(InvocationContext context)
        at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()

CLI (or better to say cyclonedx-dotnet-library) supports only up to 1.4. Please consider adding support for 1.5. Thanks!

[candrews]

Other tools, such as Trivy, are now producing CycloneDX 1.5 SBOM's: https://github.com/aquasecurity/trivy/releases/tag/v0.43.0

[candrews]

Reported issue to the library at CycloneDX/cyclonedx-dotnet-library#237

[frabys]

Confirmed @andreycha 's finding. The latest Trivy version automatically produces CycloneDX BOM version 1.5 files, there seems to be no way to configure the output version manually. The options for users are to either downgrade Trivy, or replace CycloneDX-CLI with something else, which would in my case both be rather tedious as it´s used a lot in automation. Thanks!

[Hritik14]

Even cdxgen provides v1.5 files. Given both are under same org, please consider supporting 1.5

[candrews]

It appears that cyclonedx-cli was released a short time ago and it include cyclonedx 1.5 support: https://github.com/CycloneDX/cyclonedx-cli/releases/tag/v0.25.0

[robertlagrant]

I don't think it's available on Homebrew yet for some reason.

[leec94]

i have the same issue, homebrew's latest version is 0.24.2. @coderpatros can the version in homebrew be updated to 0.25.0? thank you

[robertlagrant]

@leec94 It's updated.

[leec94]

oh great, thanks for letting me know @robertlagrant

[robertlagrant]

@andreycha I believe this can be closed?

[frabys]

Confirm it´s working with the updated version. Thanks a lot @robertlagrant and @candrews for pointing it out!