-
-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change default spec version to latest #1173
Comments
Changing de default values has no benefit for nobody in this case - it would not affect the SBOM result in no way. So I do not see your point here. I am well aware of adopting new standards. But it took the CycloneDX community several months to adopt spec 1.5 when it came to ingesting the data.
See for example, DependencyTrack - CDX 1.5 support was introduced with on October 16, 2023.
See https://docs.dependencytrack.org/changelog/ As of today, DT v4.10.1 is the "latest" version. It was built months before CycloneDX 1.6 was released...
From which none of its features is used in this tool, yet. All in all, I see your request, and still I do not see any reason to change a default value to 1.6 yet. -> I will close this issue as soon as the "latest" version became the default. No worries. |
Is your feature request related to a problem? Please describe.
I'm always frustrated when I have to manually look up the newest version of the CycloneDX spec and specify it manually via the cli. Newer versions of the spec bring improvements and defaulting to old versions hinders adoption.
Describe the solution you'd like
It would be very nice, if the newest supported version would be the default, then one doesn't have to specify a spec version and nevertheless can use the latest and greatest version of CycloneDX.
Describe alternatives you've considered
Adopt a clear guideline on when to change the default to a new version, when not changing it directly, but rather e.g. 1 week/month/year after release of the new spec version.
Additional context
Version 1.4 (the current default) has been released on 12 January 2022, so it is over a two years old now and is the default for at least 1.5 years now.
Version 1.5 has been released on 26 June 2023, so is almost a year old now as well.
Version 1.6 has been released on 09 April 2024, so it is almost 2 weeks old now as well, but has been supported since over a month now.
Dependency Track works flawlessly with CycloneDX 1.6.
The text was updated successfully, but these errors were encountered: